Starting with Windows 8 (and continuing with Windows 8.1) I have noticed that changing your password is broken once the password is expired. I’m posting this so that others can be aware and not fall into the same pit that I often find myself.
If your network has a password expiration policy and you do not change your password before it expires you may get into a situation where you cannot change your expired password.
The steps to replicate this problem require some set up.
- Set up the network policies to expire passwords.
- Create a user account that has a password.
- Log into the account on a Windows 8+ machine.
- Remain logged in until the password expires (being at the lock screen is fine).
At this point you are now in the scenario where you are stuck. After unlocking the computer Windows will pop up a message notifying you that your password has expired and suggesting that you Ctrl+Alt+Del to go to the lock screen to change your password. On the Change Password screen you must enter your old and new password (with confirmation). Upon entering all the information Windows will attempt to change the password, determine that the old password has expired and return an error saying the password has expired and must be changed. Duh, that is why I’m trying to change it.
The first time I ran into this scenario I assumed that Windows was confused so I rebooted. Same scenario, the password must be changed. Then I thought that maybe because of the expiration that Windows was confused so I asked the network administrator to change my password. They did and, in accordance with good security practice, marked that I had to change my password on next login. The problem persisted. At this point I was pretty mad so we tried one final thing that proved to work.
The only solution that I found that works is to have the network administrator assign a new password to the account AND ensure that the “must change” option IS NOT set. If this option is set then you will still run into the problem. Rebooting the machine does not help. One theory was that there was a service or other process running somewhere with the network credentials but the account was never locked out so this seems unlikely.
This seems like a glaring issue with password expiration in the newer versions of Windows. Until this is resolved the only reasonable solution is to ensure that you change your password before it expires. Hopefully Microsoft will resolve this with Windows 10.
Is It Me
I have replicated this problem on 2 different Windows 8 and 8.1 machines. They were both on the same network. Other machines on the network running Windows 7 and Windows Server 2008 R2 do not replicate this behavior. As such I don’t believe it to be a quirk of the machine or my account. It is possible it is an issue with the newer operating systems running against an older domain controller but this seems unlikely.