SOLVED

Unable to change expired password

Copper Contributor

I am using Server Next Preview Build 26257. It is a domain controller. I only have the one AD account which I created to do the evaluation. The account password expired today. When I attempt to change it at login, I enter the new password twice as required and hit Enter, but it sends me back and says "The password for this account has expired" with an OK button.

 

If I try again I get the same result. If I purposely type a mismatch for the new PW it does acknowledge that.

 

Has anyone else seen this? I can't think of a workaround.

11 Replies
you password already expired. You should open "Active Directory Users and Computers" and check "password never expire" and your user account. And then disconnect, connect with your new password and open "Active Directory Users and Computers" again and uncheck "password never expire"
As I mentioned, this is just an evaluation and I only have that one account. I can't log on so I can't use the account to make any AD changes.
Since there's nothing to lose, I'm starting over with creating a new domain.

My main reason for posting is because this certainly looks like a bug in the newest Server Next version. Is there a better forum for posting bugs? I was thinking this forum covered it. Thanks.
best response confirmed by CSullivan55 (Copper Contributor)
Solution
Curiosity: Are you talking about the BUILTIN\Administrator, i.e. the S-1-5-21-DOMAINSID-500, or another account you created after that?

@Joachim_Otahal That's very helpful, so thanks for asking the question.

 

It's been years since I set up an AD domain from scratch. Apparently when I created this domain for evaluation, I had to set a password for the built-in Administrator account. By default the built-in Administrator's password doesn't expire, so I was able to log on with that account. As it turns out that did give me second account to use after all.

 

This solves my issue of not being able to log on, but more importantly this has got to be a bug. I used the Administrator account to reset the other DA account's PW, leaving the setting "User must change PW at logon". Essentially the same thing happened: I enter the PW, I get the message that I need to change the PW, but after doing so it simply repeats that I need to change the PW.

 

Using the Administrator account to reset the PW, unchecking the option to force change at logon, of course gets around that issue.

Oh no, that is not a bug. That is documented. There are several recommendations to handle that account, like renaming and deactivation. But none of them recommends deleting that account, even tough it is possible.
Thanks, but that's not what I meant.

The bug is that a password can't be changed after it expires or when it's reset by an admin with the requirement to change it at logon. This is specific to the Server 2025 preview. See the first paragraph in my original post. I'm posting here mainly to report it as a bug.

I just ran into this issue as well. DCs are Server 2025 build 26100.1150, with Server 2025 forest functional level.

 

  • Unable to change domain admin user's expired password (manually created account, not SID-500).
  • Attempting to change PW from a remote machine using Ctrl+Alt+Del / Change PW gives "password has expired" error message, password is not changed (from Windows 10 as well as from Windows 11 machines).
  • Logon attempt at DC's console yields the "password is expired and must be changed" prompt, followed by "password has expired" error without the password getting changed. Event ID 4625 gets logged.

Definitely a server-side DC issue, and anyone unlucky to not have another admin account at hand to reset the password is gonna have a bad time.

On a PC or server connected to the network (does not have to be in that AD, but DNS should be pointing to that DC): Hit CTRL+ALT+DEL -> Change Password. In the topmost field, you can enter ANY account, but you should use the testuser@testdomain.local format and not NETBIOS, and then enter the old and new password.
If that was not working as well, like in Matt K's case, it could be a bug.
Did you try username@domain.local or DOMAIN\SamAccountName in your "CTRL+ALT+DEL -> change PW" method? The latter does often not work, for example if the account is a member of "Protected users" with "Admincount 1".

I did use the DOMAIN\SamAccountName format (both on a remote machine as well as on the DC's local console). However, I've done it this way before upgrading the domain to 2025 as well, and don't recall running into issues doing it this way (the account is not part of "Protected users").

Thanks Matt K for confirming the bug.

Just for fun I reset the account's PW again, leaving the option to require changing it at logon. I logged on using the format username@domain.local and got the same bad result. Once I removed the requirement to change the PW at logon, I could log on using that format with the new PW.
1 best response

Accepted Solutions
best response confirmed by CSullivan55 (Copper Contributor)
Solution
Curiosity: Are you talking about the BUILTIN\Administrator, i.e. the S-1-5-21-DOMAINSID-500, or another account you created after that?

View solution in original post