Incorrect Behavior in Winlogon for First-Time User with "Must Change Password on First Logon" Setting

Article translations Article translations
Article ID: 263603 - View products that this article applies to.
This article was previously published under Q263603
This article has been archived. It is offered "as is" and will no longer be updated.
Expand all | Collapse all


When a new user logs on to a workstation for the first time in a Windows 2000-based domain, the following symptoms can occur if the Must change password on first logon setting is enabled for that user account:
  • Windows 2000 displays a dialog box for the user to change the password, even if the user typed an incorrect password to log on.
  • The error message box states "Your password has expired and must be changed" instead of "You are required to change your password at first logon."


This behavior is caused by a problem in Kerberos on the domain controller.


To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack
The English version of this fix should have the following file attributes or later:
   Date        Time   Version      Size     File name
   25/01/2001  15:24  5.0.2195.28  130,320  Adsldpc.dll
   25/01/2001  15:24  5.0.2195.28  348,944  Advapi32.dll
   25/01/2001  15:23  5.0.2195.28  502,032  Instlsa5.dll
   25/01/2001  15:24  5.0.2195.28  140,560  Kdcsvc.dll
   17/01/2001  14:17  5.0.2195.28  198,928  Kerberos.dll
   19/12/2000  22:13  5.0.2195.28  69,456   Ksecdd.sys
   25/01/2001  15:24  5.0.2195.28  484,112  Lsasrv.dll
   02/01/2001  09:45  5.0.2195.28  33,552   Lsass.exe
   23/01/2001  18:06  5.0.2195.28  108,816  Msv1_0.dll
   25/01/2001  15:24  5.0.2195.28  912,656  Ntdsa.dll
   25/01/2001  15:24  5.0.2195.27  363,280  Samsrv.dll
   25/01/2001  15:36               862,655
   25/01/2001  15:24  5.0.2195.27  128,272  Wldap32.dll
   23/01/2001  18:19  5.0.2195.28  494,864  Lsasrv.dll 

NOTE: The hotfix listed in this article resolves only the first issue described in the "Symptoms" section. There is currently no fix to address the second problem (the incorrect error message).


Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 2.


For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base:
249149 Installing Microsoft Windows 2000 and Windows 2000 Hotfixes


Article ID: 263603 - Last Review: October 20, 2013 - Revision: 3.4
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional Edition
kbnosurvey kbarchive kbhotfixserver kbqfe kbbug kbfix kbwin2000presp2fix KB263603

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from