Have been battling this issue for over a year now, here is my setup
i have mac AD users, their macbooks are joined to AD with a software called Centrify, every 90 Days our AD users need to reset their passwords. the Centrify app prompts them to reset their AD password however when they enter their old and new password the Centrify app prompts them that they have not reach their complexity requirements require for their password. Now AD actually takes the password but the user thinks it does not and now the user cannot login to their macbook
the workaround for me is to remove the user from the domain then re-add the macbook
any ideas what this could be.