When I reset user passwords in Active Directory
on Windows Server 2008
or Windows Server 2012
and check the option User must change password at next logon
it prevents users from being able to login.
However when I do not check this option and reset their password and unlock their account the users can login successfully. This obviously present a bit of a security issue.
I'm not versed enough in AD to know why this is occurring, has anyone seen this before?
The only time I've seen something like this was when we deployed a NAC agent that only allowed certain ports unless the user had logged in. Basically, network services had allowed the ports to log in but were blocking the ports needed to change passwords.
If you're using some kind of similar product, or are otherwise in a similar situation, you'll need to make sure that port 464 is open in addition to the LDAP ports (389 and 636). There's a full list of AD ports here: http://technet.microsoft.com/en-us/library/dd772723%28v=ws.10%29.aspx
Is your domain functional level 2012? Sounds like your password policy has entries defined for password age. (I think 2012 dictates that users must wait 1 day to change their password by default.) You should take a look at your Group Policy password settings.
http://technet.microsoft.com/en-us/library/hh994572(v=ws.10).aspx