Share via

Server 2025 Domain Controllers and Password Expiration Loops: Users cannot successfully change password when prompted for expiration

Allquestions 1 Reputation point
2026-04-20T17:45:31.31+00:00

Environment information:

two domain controllers. Server 2025 24h2 2610.1742

Tested replication by making changes to account expiration and verifying it syncs both directions

and by placing a file in the sysvol volume and verifying it replicates

Domain function level: 2016

Users are prompted to reset their password due to account expiration. When they enter a new password they receive a message that the account is expired and the password does not change. I have verified they are meeting all password complexity, length requirements and that Entra Password Management services are not installed. They do use Entra Sync to sync onprem to Entra. The domain controller doesn't seem to show anything additional in terms of logging in the security log to help determine what the issue could be.

Windows for business | Windows Server | Directory services | Active Directory
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Allquestions 1 Reputation point
    2026-04-21T13:01:59.7+00:00

    Hi the windows 11 computers are 10.0.26200

    The Windows 2025 servers are 2610.1742

    I have verified in Entra the impacted users have Password policies

    DisablePasswordExpiration

    Was this answer helpful?

  2. Kate Pham (WICLOUD CORPORATION) 665 Reputation points Microsoft External Staff Moderator
    2026-04-21T01:57:13.29+00:00

    Hi,

    Thank you for reaching Microsoft Q&A community!

    Based on the scenario described, there are several relevant issues and troubleshooting steps documented for Server 2025 Domain Controllers and password change failures:

    1. Incorrect Warning Messages on Password Change Attempts

    After introducing Windows Server 2025 Domain Controllers (DCs), users may receive incorrect warning messages when attempting to change their password, even if they meet length, complexity, and history requirements. The observed messages can include:

    • "The password on this account cannot be changed at this time."
    • "The user's password must be changed before signing in."

    These messages are generated when the password change attempt hits a Windows Server 2025 DC. The expected message (seen on pre-2025 DCs) should indicate that the password does not meet requirements, but the new DCs may not display this correctly due to differences in how the KPASSWD response is handled.

    Build Version Impact

    • If the build version of the Server 2025 DC is older than 8B.2024, the incorrect message is generated.
    • If the build version is between 8B.2024 and 8D.2025, the same issue persists.
    • The issue is resolved with the 5D.2025 update, which is shipped as DisabledByDefault, and is enabled by default starting with the 8D.2025 update. If your DCs are not at least at build 8D.2025, you may still encounter this problem.

     

    2. Windows 11 22H2 and 23H2 Clients: Secure Channel and Password Change Failures

    If you have Windows 11 22H2 or 23H2 clients, there is a known issue where password changes fail when serviced by Server 2025 DCs. The computer account password is changed locally but not for the Active Directory object, causing trust relation failures. This can be reproduced by running nltest /sc_change_pwd: while the secure channel points to a 2025 DC. This issue does not occur on Windows 11 24H2.

    Workaround: Enable the policy “Disable machine account password changes” to prevent machines from automatically changing their passwords until a fix is applied. Refer to internal KB5054623 for more details and monitor for OS updates addressing this issue.

     

    3. Password Expiration and Entra Sync

    If Entra Password Management services are not installed but Entra Sync is used, ensure that password policies are not being enforced from the cloud. If the CloudPasswordPolicyForPasswordSyncedUsersEnabled flag is set to True and no domain-level password validity policy is configured, the system defaults to a 90-day password expiration period. This can cause unexpected password expiration prompts. To override this, explicitly configure a password policy at the domain level using Microsoft Graph PowerShell.

     

    4. Self-Service Password Reset Policies

    If you want to set passwords to never expire or to expire, use the following PowerShell commands:

    • To set a password to never expire:
    • Update-MgUser -UserId <user ID> -PasswordPolicies DisablePasswordExpiration
    • To set a password to expire:
    • Update-MgUser -UserId <user ID> -PasswordPolicies None

    Note: Passwords set to never expire still age based on the LastPasswordChangeDateTime attribute. If you change the expiration to None, all passwords older than 90 days require the user to change them the next time they sign in.

    Summary of Troubleshooting Steps:

    1. Check the build version of your Server 2025 DCs and ensure they are updated to at least 8D.2025 to resolve incorrect password change messages.
    2. If you have Windows 11 22H2 or 23H2 clients, consider enabling “Disable machine account password changes” as a workaround for secure channel issues.
    3. Verify domain-level password policies, especially if using Entra Sync, and configure explicit policies if needed.
    4. Use PowerShell commands to manage password expiration settings for users.

    Would appreciate it if you find my response helpful and "Accept the Answer" 😊

    T&R,

    Kate.

    Was this answer helpful?

  3. Allquestions 1 Reputation point
    2026-04-20T18:06:10.99+00:00

    I looked at the AI provided guesses but they were not correct or relevant

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.