Interesting, I can't think of any policy that would force the pwdlastset to be zeroed when the password is changed.
The next step I would try to figure out what is causing this behaviour:
- Clear the User must change the password at logon check box
- Confirm the change has been saved by reopening the properties dialog.
- Confirm the value in the msDS-UserPasswordExpiryTimeComputed and if it's in the past
- Logon with the account to confirm that the current password is set
- Confirm the meta data of the user object and details of when and on which server the password was changed, you can use this page as a reference on how to get this information
- Use this page to get a before snapshot of the user object, enter the DN for the user for both left and right object and click compare
- Use ADUC to change the password
- In NetTools click on the compare again, to see what attributes have been changed
- Open the meta data dialog again and confirm, when and which server changed the value of the pwdlastset attribute, and is it different from the one that change the unicodepwd attribute
Let us know how you go.
Gary.