0X000008C2

Fix 0X000008C2: Password Expired Error on Windows Login

Windows Errors Beginner 👁 0 views 📅 May 26, 2026

This error pops up when a user's password has expired, blocking login to a Windows machine or domain. It's common after password policy changes or missed expiry warnings.

When This Error Shows Up

You're trying to log into a Windows machine — could be Windows 10, 11, or a Server 2019/2022 box — and instead of your desktop, you get hit with error 0X000008C2, often paired with the message "The password of this user has expired". This usually happens after a domain password policy change (like a new 90-day expiry rule) or when a user ignores those "your password expires in X days" warnings for too long. I've also seen it on standalone machines after a local password policy update via GPEdit or net accounts.

Root Cause

The culprit here is almost always one thing: the user's password has exceeded its maximum age. Windows keeps track of when a password was last changed. If that age exceeds the value set in the password policy (default is 42 days on domain controllers, 0 = never expires locally), it flags the account. The error code 0X000008C2 is just the hex representation of the NT status code meaning "password expired." It's not a bug — it's Windows doing exactly what it's told. The tricky part is that you can't bypass this error by typing the old password again. You must change it.

Fix Steps

  1. Try logging in normally and changing the password at the prompt. On some systems (especially Windows 10 1809+), you'll get a dialog that says "Your password has expired and must be changed" with fields for old and new password. If you see that, just fill it in. If the error kills the login entirely (common with RDP or older builds), skip to step 2.
  2. Use the "Other user" option. On the login screen, click "Other user" (or press Ctrl+Alt+Del, then select "Switch user"). Enter the username in DOMAIN\username format (for domain) or MACHINENAME\username (local). Leave the password field blank and hit Enter. This sometimes triggers a password change prompt on the backend. It's a dirty trick, but it's worked for me on Server 2016 more than once.
  3. Reset the password from another admin account. If you have another local admin account (like the built-in Administrator) or a domain admin, log in with that. Then:
    • Open Computer ManagementLocal Users and GroupsUsers.
    • Right-click the locked user → Set Password.
    • Proceed with the warning — this will force a new password. Log out and have the user log in with the new password.
  4. If it's a domain account, reset via Active Directory. On a domain controller (or a machine with RSAT tools):
    • Open Active Directory Users and Computers.
    • Find the user → right-click → Reset Password.
    • Check "User must change password at next logon". This forces the user to set a new password on their next login.
  5. For local accounts, use Safe Mode with Command Prompt. If you can't get another admin account, boot into Safe Mode with Networking (press F8 at startup or Shift+Restart from the login screen). At the login screen, select Administrator (often hidden but available in Safe Mode). Once in, open an elevated command prompt and run:
    net user USERNAME NEWPASSWORD
    Replace USERNAME and NEWPASSWORD. Then log out and log in normally with the new password.
  6. Last resort — offline password reset. Tools like Hiren's Boot CD or chntpw can reset local passwords from a bootable USB. This is your hail mary. Run it, select the SAM hive, clear the password for the target user. Not elegant, but it works.

Still Failing? Check These

If the fix steps above didn't work, don't keep banging your head. Check these three things:

  • Account is locked, not just expired. Run net user USERNAME /domain from a command prompt (or net user USERNAME for local). Look for "Account active" and "Account locked." If it's locked, unlock it from AD or with net user USERNAME /active:yes.
  • Password policy is set to "0" (never expires). If you reset the password but the account still has an old expiry date, the policy might be caching. Run gpupdate /force on the machine, then check with net accounts /domain for domain or net accounts for local. The "Maximum password age" should match what you expect.
  • Corrupt user profile. Rare, but I've seen it. If the user can log in with a new password but gets the error again immediately, their profile might be toast. Rename the user's folder in C:\Users (e.g., C:\Users\oldusername.bak), then log in fresh. Windows creates a new profile. Copy their data from the backup folder.

That's the full playbook. I've used every one of these steps in production. Skip the fluff — start with step 1, escalate as needed. You'll have them logged in within 10 minutes.

Was this solution helpful?

0X000008C2 NERR_PasswordExpired password expired Windows Windows login error password expired domain cannot login password expired fix 0X000008C2 Windows password expired error NERR_PasswordExpired fix user password expired Windows error code 0X000008C2 password reset Windows domain password expired login failed password expired Windows 10 password expired