We have 4 sites, 3 of these site have only Windows Server 2008R2 domain controllers.
1 site has 2 Windows Server 2008R2 and 1 Windows Server 2003 domain controller.
All clients are Windows 7
The domain functional level is 2003
Some users in this last site are reporting problems when logging in after locking their screen OR when they need to change their password.
The password policy is set at domain level, all sites are running this single password policy
This only applies to a couple of users in the site which includes the 2003 DC, all other users have no issues at all
The login problem after locking the screen:
Users tries to login again, but recieves the error that username and/or password do not match.
Only restarting the computer and login again with same username/password is working.
Changing password:
User start computer and a message appear that password needs to be changed.
They click OK.
They enter a new password and confirm the password (password is 100% meeting a the complexity rules)
A message will appear that the password does not meet the password complexity rules.
Same thing happens on a different PC.
We open the AD Snap-in and change the users password in the snap-in to the same used on the computer and the user can login
If we select 'user must change password at next login' we have the same thing again.
Another changing password issue, not the same users as the issue above:
User locks screen and during that time the password went from '1 day left' to 'you have to change password now'.
User types old password, pop-up indicates that password needs to be changed.
USer clicks on OK.
The user is presented 1 field for their current password, it will never show the additional fields for changing the password.
Reboot PC and login with old password prompts for changing the password now and the additional field appear and user is able to change their password.
I believe these problems are all related, but I can't figure it out.
Since the issue is only in the site that includes the 2003 DC I think this one is messing thing up.
Demoting the 2003 DC and raising the functional level to 2008R2 is not an option.
If checked the permissions on the user accounts for changing password etc. and they are identical with users that are able to change their passwords.