The “User must change password at next logon” option is enabled automatically

Last review: Jan 01, 2013
Copy Article URL Copied

When a user attempts to reset password and fails to provide a password which corresponds to the password policy, the “User must change password at next logon” option will be automatically enabled for this user.

Due to the way it works, Netwrix Password Manager cannot reset a password to a new value directly, because this procedure requires the user’s current password, and the software does not know it. Therefore, the Password Manager first resets the password to a random one and only after that changes it to a new value. This two-step procedure is required because the Security Policies apply only during a password change, not a password reset operation. Therefore, it is not possible to select some of the password policies, for example, password history.

The issue is replicated with the following scenario:

1. “Use AD password policy settings” option is enabled in the Admin portal -> Domains -> Edit Managed Domain.
2. A user performs a reset password operation. In Password Manager it’s a 3-step procedure:
– password is reset to a random value
– new password is checked for AD password policy compliance
– if the new password does not pass the check, it stays random and “user must change password at next logon” option is enabled automatically

3. User fails to provide the password which complies with password policy. According to the previous step, the user’s old password is no longer valid (was reset to random) and new password was not applied.

Similar behavior occurs during Change password procedure, but password is not get reset to a random one, so just “User must change password at next logon” checkbox gets enabled.

To prevent this issue, you can disable the “Use AD password policy settings” option (Admin Portal -> Domains-> Edit) and configure the password policy through Netwrix Password Manager (Admin Portal -> Settings -> Password Policy tab).

Go Up