Q: When a user tries to log on to the computer for the first time it prompts them to reset password. "You must enter a new password b ... When a user tries to log on to the computer for the first time it prompts them to reset password. "You must enter a new password before you can log in to the account." more
-
All replies
-
Helpful answers
-
-
Aug 13, 2016 9:52 AM in response to gwsphby issueinlayer8,Apologies for necroing this thread, I had exactly the same problem and didn't find an answer anywhere so thought I'd share.
Linc's answer didn't help much, pwpolicy doesn't appear to have much to do with Active Directory accounts. But pwpolicy -u -authentication-allowed did report that the affected users were required to change their password, just like the login screen seems to indicate.
To fix it I had to modify the SMBPasswordLastSet attribute for the users. You can do this using Directory Editor in Directory Utility straight from the Mac. You need to enter an 18 digit LDAP/AD epoch time - see http://www.epochconverter.com/ldap and https://support.microsoft.com/en-gb/kb/555936 for details.
The affected users had values like 0 and -1 for the attribute and the Mac refused to play.