Can't change password during logon

Alderon Industries 0 Reputation points
2025-02-03T21:52:08.9766667+00:00

I have "User must change password oat next logon" enabled but when the user tries to sign in and enters the old and new password it gives the user must change password screen again and starts again.

there is no error that pops up. i looked at the domain controllers logs in server manager and didn't see anything at the time i try to do it.

When I logged into the account and tried to reset the password through the SAS but it said the password could not be changed at this time. I figured out that that specific error was fixed when i went to the security tab in AD Users and Computers under SELF granting permission to reset password. this did not however fix the login issue.

This has happened on every account i try and do this on including regular users as well as administrators. also on every machine i try it on.

Domain controllers show no errors for replication and there are no conflicting GPOs.

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
5,799 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,887 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Daisy Zhou 29,471 Reputation points Microsoft Vendor
    2025-02-04T08:50:27.83+00:00

    Hello Alderon Industries,

    Thank you for posting in Q&A forum.

    Here are some steps and considerations to help troubleshoot the issue:

    1. Verify the Minimum Password Age Setting  

    • In most Active Directory environments, the default minimum password age is set to 1 day. If a user is forced to change their password immediately (with “User must change password at next logon” checked), the domain will still enforce this minimum age. That means the new password cannot be accepted until the minimum age period has expired.  

    • To fix this, change the minimum password age to 0 days in your domain’s password policy (typically found under Domain Policy > Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy).

    Then run gpupdate /force to propagate the change.

    1. Check Other Password Policy Requirements  

    • Password Complexity: Make sure the new password meets all complexity requirements.  

    • Password History: Ensure the user isn’t unintentionally reusing a previous password that is blocked by the password history settings.

    1. Validate Delegated Permissions  

    • You mentioned adding SELF permissions for password reset on the Security tab of AD Users and Computers. It’s important the account has proper rights to change its own password. After changes, confirm that no conflicting permissions or inheritance issues exist.

    1. Test via Different Methods  

    • Try resetting the password using Active Directory Users and Computers (ADUC) as a temporary workaround.  

    • If the change is successful via ADUC but not via the logon prompt, then it further indicates a policy issue affecting interactive password changes.

    1. Check Replication & Logs  

    • Although the domain controllers show no replication errors, double-check that the Group Policy change has replicated to all DCs.  Check AD replication is OK and SYSVOL replication is also OK.

    • Review Event Viewer logs on both the client and DC for any subtle messages related to password updates.

    1. Environment-Wide Issue  

    • Since the issue happens for every account and on every machine, it’s almost certainly a domain-wide policy or configuration setting. Confirm that no other Group Policy Objects (GPOs) are overriding your intended settings.

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.