Hello Alderon Industries,
Thank you for posting in Q&A forum.
Here are some steps and considerations to help troubleshoot the issue:
- Verify the Minimum Password Age Setting
• In most Active Directory environments, the default minimum password age is set to 1 day. If a user is forced to change their password immediately (with “User must change password at next logon” checked), the domain will still enforce this minimum age. That means the new password cannot be accepted until the minimum age period has expired.
• To fix this, change the minimum password age to 0 days in your domain’s password policy (typically found under Domain Policy > Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy).
Then run gpupdate /force to propagate the change.
- Check Other Password Policy Requirements
• Password Complexity: Make sure the new password meets all complexity requirements.
• Password History: Ensure the user isn’t unintentionally reusing a previous password that is blocked by the password history settings.
- Validate Delegated Permissions
• You mentioned adding SELF permissions for password reset on the Security tab of AD Users and Computers. It’s important the account has proper rights to change its own password. After changes, confirm that no conflicting permissions or inheritance issues exist.
- Test via Different Methods
• Try resetting the password using Active Directory Users and Computers (ADUC) as a temporary workaround.
• If the change is successful via ADUC but not via the logon prompt, then it further indicates a policy issue affecting interactive password changes.
- Check Replication & Logs
• Although the domain controllers show no replication errors, double-check that the Group Policy change has replicated to all DCs. Check AD replication is OK and SYSVOL replication is also OK.
• Review Event Viewer logs on both the client and DC for any subtle messages related to password updates.
- Environment-Wide Issue
• Since the issue happens for every account and on every machine, it’s almost certainly a domain-wide policy or configuration setting. Confirm that no other Group Policy Objects (GPOs) are overriding your intended settings.
I hope the information above is helpful.
If you have any questions or concerns, please feel free to let us know.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.