“User Must Change Password at Next Logon” Option Not Working/Grayed Out

The option “User must change password at next logon” is usually enabled when creating a new Active Directory user. This option forces the user to change their password when they next log in to the domain.

Also, if the user forgets their password, an administrator can reset it and enable the “User must change password at next logon” option.

Related article: Import Users Into Active Directory From CSV

What if the “User must change password at next logon” Account Option is Greyed Out?

So a user needed to have their password reset. An administrator tries to reset the password but sees that the “User must change password at next logon” option is disabled.

Don’t worry because there are a few reasons for it, and we’ll discuss them next. Here are the possible causes and fixes.

Note. Did you know you can also reset the user’s password in PowerShell using the PowerShell Active Directory Module targeting the user’s SamAccountName and UserPrincipalName attributes?

Issue 1: Conflicting Account Options

One possible reason is due to conflicting account options. Apart from “User must change password at next logon”, there are two other options that cannot be selected at the same time:

• “User cannot change password”
• “Password never expires”

If any of the above account options is enabled, “User must change password at next logon” cannot be enabled at the same time.

The solution? Ensure you uncheck both the “User cannot change password” and “Password never expires” options.

Try to reset the user’s password again, and the “User must change password at next logon” is no longer greyed out.

Issue 2: Insufficient Operator Permissions

Another reason could be that the operator does not have the right permission to reset user passwords. To quickly troubleshoot and confirm that it is a permission issue, ask another administrator (or you) to reset the same user’s password.

If the “User must change password at next logon” is accessible to another operator, that confirms a permission issue. So how do you fix it?

Option 1: Add to the Account Operators Security Group

The Account Operators security group is a built-in group in Active Directory. The members of this group can administer domain user and group accounts.

When you add an account to this group, they will have sufficient rights to reset the password, and the “User must change password at next logon” will be accessible to them.

Option 2: Delegate the Password Reset Control

If you don’t want to give other account carte blanche control over user accounts and groups, you can delegate specific controls only. As such, in this case, you can delegate the Reset Password permission to the operator.

1. Open the Active Directory Users and Computers console:

   dsa.msc

   

2. Right-click the OU to which the control delegation will apply. In this example, we’ll select the Users OU, and click Delegate Control.
   
3. Click Next on the Welcome page.
   
4. Click Add to open the users and groups selector window.
   
5. Specify the name(s) of the users or groups to whom you’ll delegate the permission and click OK.
   Tip. Delegating control to groups instead of individual users will be more efficient in production.
   
6. Once the delegate account is added, click Next.
   
7. Under the Tasks to Delegate, select Delegate the following common tasks option and check the Reset user passwords and force password change at next logon option.
   
8. Lastly, click Finish.
   

Now the operator has the right permissions to reset user passwords and tick the “User must change password at next logon” option.

Conclusion

The “User must change password at next logon” option is a security feature that helps ensure the safety of user accounts. If this option is grayed out, it can be due to various reasons, such as the account not being set up correctly or insufficient permissions.

Following this post, the next time you encounter the “User must change password at next logon” greyed out, you’ll be confident to resolve it with a breeze.