Forum Discussion

CSullivan55's avatar
CSullivan55
Copper Contributor
Aug 02, 2024
Solved

Unable to change expired password

I am using Server Next Preview Build 26257. It is a domain controller. I only have the one AD account which I created to do the evaluation. The account password expired today. When I attempt to change it at login, I enter the new password twice as required and hit Enter, but it sends me back and says "The password for this account has expired" with an OK button.

 

If I try again I get the same result. If I purposely type a mismatch for the new PW it does acknowledge that.

 

Has anyone else seen this? I can't think of a workaround.

  • Curiosity: Are you talking about the BUILTIN\Administrator, i.e. the S-1-5-21-DOMAINSID-500, or another account you created after that?

11 Replies

  • Matt K's avatar
    Matt K
    Copper Contributor

    I just ran into this issue as well. DCs are Server 2025 build 26100.1150, with Server 2025 forest functional level.

     

    • Unable to change domain admin user's expired password (manually created account, not SID-500).
    • Attempting to change PW from a remote machine using Ctrl+Alt+Del / Change PW gives "password has expired" error message, password is not changed (from Windows 10 as well as from Windows 11 machines).
    • Logon attempt at DC's console yields the "password is expired and must be changed" prompt, followed by "password has expired" error without the password getting changed. Event ID 4625 gets logged.

    Definitely a server-side DC issue, and anyone unlucky to not have another admin account at hand to reset the password is gonna have a bad time.

    • Joachim_Otahal's avatar
      Joachim_Otahal
      Iron Contributor
      Did you try username@domain.local or DOMAIN\SamAccountName in your "CTRL+ALT+DEL -> change PW" method? The latter does often not work, for example if the account is a member of "Protected users" with "Admincount 1".
      • Matt K's avatar
        Matt K
        Copper Contributor

        I did use the DOMAIN\SamAccountName format (both on a remote machine as well as on the DC's local console). However, I've done it this way before upgrading the domain to 2025 as well, and don't recall running into issues doing it this way (the account is not part of "Protected users").

  • you password already expired. You should open "Active Directory Users and Computers" and check "password never expire" and your user account. And then disconnect, connect with your new password and open "Active Directory Users and Computers" again and uncheck "password never expire"
    • Charles_FS's avatar
      Charles_FS
      Copper Contributor
      As I mentioned, this is just an evaluation and I only have that one account. I can't log on so I can't use the account to make any AD changes.
      Since there's nothing to lose, I'm starting over with creating a new domain.

      My main reason for posting is because this certainly looks like a bug in the newest Server Next version. Is there a better forum for posting bugs? I was thinking this forum covered it. Thanks.
      • Joachim_Otahal's avatar
        Joachim_Otahal
        Iron Contributor
        Curiosity: Are you talking about the BUILTIN\Administrator, i.e. the S-1-5-21-DOMAINSID-500, or another account you created after that?

Resources