We help IT Professionals succeed at work.

Changing Domain User password on demand not working

I helped an IT Admin change his password.
I went to the User in ADUC or AD Users and Computers tool on the DC and did this:

I reset the password with a random password and checked the box: The User must change the password at the next logon.
This did not change the password and the User wasn't prompted to change the password!

Next:
I reset the password with a known password and UNchecked the box: The User must change the password at the next logon.
This did change the password and the User wasn't prompted to change the password - just as expected.

Next:
The user tried to change his own password using ADUC and Access was Denied.

Does any of this ring a bell?
I did find this:
https://support.microsoft.com/en-us/help/832481/user-must-change-password-at-next-logon-check-box-is-unavailable
but it seems a somewhat different case.
Comment
Watch Question

Hello ThereSystem Administrator
Distinguished Expert 2018
Commented:
It might be related to Network Level Authentication. Can you disable it on the affected computer just for testing purposes?

Can you also check the "Minimum password age" policy?
A lack of information provides a lack of a decent solution.
Commented:

Morning,


Firstly, are you in the same region? This is important due to replication of the password via the PDC Emulator.


Secondly, the user not being able to change his own password in ADUC can be down to the ACL on the OU.


I'd check your replication, I'd check the minimum password age as above and I'd also check the OU that the user is in and make sure he's with all the other admin accounts.


Regards

Alex

Author

Commented:
I will try to address the sense of the questions in the responses:
The domain User has some limited domain admin privileges and is in a User OU with others of that type.
I've forced replication.  We do try to limit immediate actions to the same DC when making the changes and testing them.
I don't see that there is an "affected computer"...
The minimum password age is "0".

Author

Commented:
Thanks!!  Even with the great guidance, I never did find the smoking gun.  We just "re-did" it and got the new password entered.