I have a fairly mundane network with AD servers (six in total in three locations) all running Windows Server 2022 Standard updated with the latest patches, etc. The network clients are majoritively Windows 11, with some still on Windows 10. The environment is hybrid, with workstation updates and policies handled through Intune, and Azure AD Connect syncing the local AD to Entra ID.
Everything is working fine, but am experiencing an odd issue where, if I go into Active Directory Users and Computers and check the box for "user must change password at next logon," the user must actually log on twice before it takes effect. I've researched this but can't find anything specific for this problem.
To describe in more detail, let's say I have user John Doe and I want to force them to reset their password. I know for a fact that John Doe is currently logged out of all hardware (I've done testing on dummy accounts I have set up, so I know nothing is using the account, anywhere). I will go into Active Directory Users and Computers and check the "user must change password at next logon" box and save the change. I will then go over to John Doe's laptop (which is completely logged out) and log on as John Doe using the current password. At this point, the computer simply logs on as it always would, as if I hadn't changed the box in AD.
If I then log out as John Doe and then right back in (the second log on), it will now, on the second log on, prompt me to reset the password.
I have tried everything I can think of to see if I could find a cause. I've checked the box, waited a few minutes, then tried to log on with the same effect. I've even checked the box and waited up until one week later, verified the box was still checked in AD, then logged on and the same thing happens. First log on totally ignores the fact that I have checked the "user must change password at next logon" box, but when I log on the second time the user is finally prompted to reset the password.
I have tested this with dozens of user accounts on the network to see it was a specific account or group of users with the issue and it simply seems to effect everyone equally. I've also had other admins test to see if it was something I was doing wrong, or my account, and they had the same issue.
So, for some odd reason, the "user must change password at next logon" box in our AD is only taking effect on every user's second log on... the first time the log on to their computers after we make the change it is ignored. Obviously, this is not a critical issue since the forced password reset will happen the second time the user logs on to their computer... but I would still like to know why this is happening and if there is a fix so the user is prompted to reset their password the first time they log back on to their computers.
Thank you!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 64%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 17%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECH%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)