Hello,
we have an AD on a Windows Server 2012. Several users' password is now expired (!) and their unable to connect to any server using their AD-account. They all connect remotely using Windows Remote Desktop (RDP).
I then resetted their password using rightclick on their AD account and then hit "Reset Password". I leave "User must change password at next logon" checked!
When doing not (leave it unchecked), they will be able to login with set password but unable to change it (maybe this is due to the minium password age - group policy. I set it to one day, resettet one user yesterday but his still not able to change, an error occurs saying password does not meet gpo, e.g. password restrictions, I am leglegting this point at the moment).
But when having this option checked (user must change pw) the users wont be able to connect to any server. It raises an authentication error.
I found the exactly same problem here but there was no solution provided:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_28072013.html
I also read about ports which need to be opened because ports may are opened for connect but only connected users will be able to change pw but there must be opened additional ports for change password before logging in...
I am unsure about this and dont want to open ports which were not neccessary.
I can remember as we created those AD accounts and also checked "user must change pw..." it was working at first time. Now, for this problem, it occurs for accounts where the password has been expired, thats the difference to before I think.
I think theres an other gpo which is affected by expired passwords but I dont find such one.
Any help would be grateful, thanks!