AD user password change on next logon not working properly

Question

I have Domain controller around 1200 user. Problem is while I reseting a user password and checked the Password change on next log on checkbox it should come with option to change the password on next log on. But I didn't get any option like that while login to the workstation and can not login with the new password. It takes old password to log in. Moreover if while reseting password if I checked the password change on next log on option and also checked unlock this account option then I can login with the new password but still the password change option is not coming up.

Answer 1

Hello Shaharear,

Thank you for posting question on Microsoft Windows forum!

Based on your issue description, It sounds like there might be an issue with how your domain controller is handling the Password change at next logon policy. Basically, When you check this **User must change password at next logon** Setting, Active Directory sets the pwdLastSet attribute for the user to 0. This value tells the system that the user's password has not been set (or has been reset by an administrator) and therefore requires a change on the next login. When a user with pwdLastSet=0 attempts to log in, Windows should present a prompt for them to immediately change their password. The followings are a few potential troubleshooting steps to see if it could help resolve the issue.

1.Check Minimum Password Age:

• Go to Group Policy Management Console.
• Edit the Default Domain Policy (or the relevant GPO applying to your users).
• Navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Password Policy.
• Ensure "Minimum password age" is set to 0 days. This allows immediate password changes. If you change this, you will need to run gpupdate /force on your domain controllers and on client machines, and wait for replication.

2.Force Replication:

• On your Domain Controllers, open an elevated PowerShell or Command Prompt and run:
• repadmin /syncall /APeD
• Then, on the workstation where the user is trying to log in, run:
• gpupdate /force or Have the user log off and log back in (or reboot).

3.Verify pwdLastSet Attribute:

• In Active Directory Users and Computers, enable Advanced Features (View menu).
• Go to the user's properties, then the Attribute Editor tab.
• Go to the user's properties, then the Attribute Editor tab. Find the pwdLastSet attribute. After resetting the password and checking User must change password at next logon, this value should be 0. If it's not, there's an issue with the ADUC snap-in or the underlying AD update.

4.Test with a New User/Different Workstation:

• Create a brand new test user account.
• Reset its password and check User must change password at next logon.
• Try logging in on a different workstation. This helps determine if the issue is user-specific, workstation-specific, or domain-wide.

5.Examine Event Logs:

• On the domain controller(s) and the workstation, check the Security Event Logs Event Viewer -> Windows Logs -> Security for any errors related to account logon, password changes, or Kerberos. Look for Event IDs like 4625 (failed logon), 4723 (password change attempt), 4724 (password reset by admin).

6.Consider Fine-Grained Password Policies (FGPP):

• If you're using FGPPs, ensure that no FGPP is overriding the "Minimum password age" or other relevant settings for the affected users. FGPPs have higher precedence than the domain-wide password policy.

Hope the above information is helpful!