I believe I have everything configured correctly. But clearly I'm missing something. Users can authenticate and that all works. If I expire a password, it recognizes that it is expired. It recognizes that part of our password policy requires 7 ch...
I have found the answer.The "Account Operators" group can change user information, except it cannot change the Domain Administrators group or any of its members.I was using my own account for testing and I am in the Domain Admins group. When I creat...
I was able to resolve the problem, but not satisfactorily. I changed the Ldap account privileges from "Account Operators" to "Domain Admins" and now the password change works.It's nice that it works, but I don't like the idea of having a Domain Admi...
In Event Viewer on the domain controller, under security, I only see that the logon has failed.Failure Information: Failure Reason: The specified account's password has expired. Status: 0xc0000224 Sub Status: 0x0That...
Yes, that is one of the first things I did.A couple of common remedies that I've found with AD Password change problems are either not having Secure LDAP set up correctly, or the LDAP user not being in the correct group.The LDAP user is in the Accoun...