If you reset a user's password, you can configure the
User must change password at next logon
you perform this operation on the primary domain controller (PDC) operations
master, which may be located in a site that is different from the site that the
user is logging on to. Therefore, replication latency may occur, which may
cause the symptoms that are described in the preceding section. The following
scenario describes this issue:
- The user forgets their password (for example,
password1), and then you reset the password to
- The user in the remote site uses the newly reset password
(password2) to log on to their local domain
controller (the remote domain controller).
- The remote domain controller does not recognize
password2 as the password (it knows only
password1). The domain controller forwards (chains)
the logon request to the PDC operations master.
- The PDC operations master satisfies the logon request, and
then passes a message to the remote domain controller that states that the user
must change their password.
- This message is passed back to the client computer, which
prompts the user to change their password.
- When a user is prompted to change their password, they are
asked for the old password and a new password. In this case, the user types the
newly reset password (password2) as the old
password, and then types a new password.
- The client contacts the remote domain controller again
(because this domain controller is in the same site as the client) to change
the password. However, the remote domain controller has the password that the
user was using at the time that they asked you to reset the password
(password1), and does not recognize
password2 as the old password.
- Because password2 is not the
correct old password (according to the remote domain controller), the password
change operation fails. However, after the newly reset password
(password2) is replicated to the remote domain
controller, if the user enters password2 when they
are prompted to enter the old password, the password change operation is
You can reduce network latency by changing the password for the user on a domain controller in
the site that the user is logging on to. To change the focus of the Active Directory Users &
Computers snap-in to a domain controller in the site, right-click the top of the left pane of
the Active Directory Users & Computers snap-in, and then click Connect to Domain
. You can now locate a domain controller in the site that the user is in and
change the password.
Article ID: 320325 - Last Review: December 3, 2007 - Revision: 6.4
- Microsoft Windows Server 2003, Standard Edition (32-bit x86)
- Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
- Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows Small Business Server 2003 Premium Edition
- Microsoft Windows Small Business Server 2003 Standard Edition