Our Help Desk has been resetting user passwords with "user must reset password at next logon" for years.
Recently reset default domain policy for "minimum password age" from 0 days to 5 days.
Now when Help Desk resets user password with user must reset password selected the end user receives a denied message because password was reset in less than 5 days.
Searches only reveal how to delegate permissions to reset password which has been done. Appears the helpdesk change of the password flags the password reset the same as if the user reset the password themselves.
Any clues?
Best Answer
That's not how it works - the 'user must change password at next login' flag 0s out the
pwdLastSetattribute, so that the user is forced to change at next login.When this happens, there's no timestamp, so the minimum age requirement is always considered to be met. You can test this by changing your own password, then (without logging out) checking the 'must change password at next login' box on your account, then changing your own password again. It'll work, since the timestamp of your previous password change is wiped away by forcing the change.
What's really happening (and the help desk is misleading you about) is that they're resetting the passwords without setting the 'must change password at next login' flag. The
pwdLastSettimestamp is then set based on the password change that the help desk implemented, and the user can't change the password.If this password policy is set, then your help desk will need to be trained to always set the flag - and that failure to do so will result in user complaints.