An administrator of a domain network with a single Microsoft Active Directory 2019 Domain Controller needs to reset password for certain domain users. To do so, he selects the user in from the list and chooses "Reset password" and while setting a temporary password to be given to the user, he marks up the option "User must change password at next log on".
When user try to login, he is prompted to change his password – as expected – however; when proceed to change the password, process fails showing the following error:
configuration information could not be read from the domain controller, either because the machine is unavailable or access has been denied.
I read many articles regarding this issue. Some said after installing an update, this turned into an issue, however, I couldn't find a real answer here and nowhere. My domain controller is really available and computers where subjected user tries to login is a domain-joint. Sound that is't a firewall issue maybe.
Best Answer
Have more than one DC, always
Have you looked at the Event Logs on the DC? Specifically the Security log?
If you look at the
pwdLastSetattribute on the user account, does it show the date when the user attempted to change the password? or was it your change?Are the users connecting via a wired network or wireless? If you have any firewalls between client machines and DCs, are they showing dropped traffic? The ports specified here MUST be open between DCs and clients. Note that some of these include UDP, including the port for Kerberos password changes.
Can the users change their passwords before they expire?
Do you have a machine you can test with and see if you can replicate these issues with a normal user account? Preferably one on the same network(s) as the user machines. If they leave their machines in the office and you can remote to them, try doing some testing on one after hours.
Are there any relevant errors in the System or Security logs on the client machines?