0X000008C3: User Can't Change Password in Active Directory

When This Error Hits

You'll see 0X000008C3 (and the corresponding NERR_PasswordCantChange message) most often when a standard domain user tries to change their expired password at login. The user enters a new password, hits enter, and gets slapped with this error. It also pops up when someone tries to use the Ctrl+Alt+Del change password option or via Remote Desktop Services. The real-world trigger? Some admin set the 'User cannot change password' flag on the account and forgot about it. Or a script bulk-created accounts with that checkbox ticked.

Root Cause (Plain English)

Active Directory has a per-user checkbox called 'User cannot change password.' When that's checked, the domain controller rejects any password change request from that user account — even if the password is expired. The error code 0X000008C3 (decimal 2245) maps directly to this setting. It's not a policy issue or a permission problem. It's a single attribute: userCannotChangePassword set to TRUE. Nine times out of ten, that's your culprit. Don't waste time checking password policies, group policy, or network connectivity until you verify this flag.

Fix: Uncheck the Box

You need to clear the 'User cannot change password' setting. Two ways to do it — Active Directory Users and Computers (ADUC) or PowerShell. I'll walk both.

Method 1: ADUC (GUI)

1. Open Active Directory Users and Computers (dsa.msc) on a domain controller or a machine with RSAT installed.
2. Navigate to the user's organizational unit (OU).
3. Right-click the user account and select Properties.
4. Go to the Account tab.
5. Look under Account options for the checkbox labeled User cannot change password.
6. If it's checked, uncheck it.
7. Click OK.
8. Have the user try changing their password again. It should work now.

Pro tip: This checkbox is stupidly easy to miss. I've seen admins accidentally check it when setting other account flags like 'Password never expires.' Always double-check this one.

Method 2: PowerShell (Faster for Bulk Fixes)

If you're dealing with multiple users or just prefer the command line, use the Active Directory module.

Get-ADUser -Identity "username" -Properties CannotChangePassword | Set-ADUser -CannotChangePassword $false

Replace "username" with the actual sAMAccountName. For a whole list of users in an OU:

Get-ADUser -Filter * -SearchBase "OU=Users,DC=domain,DC=com" -Properties CannotChangePassword | Where-Object { $_.CannotChangePassword -eq $true } | Set-ADUser -CannotChangePassword $false

Run that, and you're done. No reboot needed. Change takes effect immediately.

What to Check If It Still Fails

If the user still gets 0X000008C3 after you've unchecked that box, look at these:

• Replication lag: If you made the change on one DC and the user authenticates against another, the change might not have replicated yet. Force replication with repadmin /syncall or wait a few minutes.
• Read-only DC (RODC): RODCs cache user attributes. If the account is on an RODC, the change needs to replicate there too.
• Password complexity: Make sure the new password meets your domain's complexity requirements. Sometimes the error message is misleading, and the real issue is a weak password.
• Account lockout or disabled: Check the account status. A locked or disabled account can also throw random errors when trying to change passwords.

But honestly? 90% of the time, it's that checkbox. Uncheck it, move on.