We have seen several users have this issue where they cannot login if the checkbox in user properties for “user much change password at next logon” has been enabled. Various comments and posts online indicate that changes in the windows authentication process in recent OS versions don’t allow expired users to change their password via RDP once it expires when Network Level Authentication or Credential Security Support Provider (CredSSP) is enabled. This is only an issue trying to force users to change their password on a RDP session – it works fine from a console session if you are local to the machine.
Try to un-check this box by “user must change password at next logon” if it is currently checked. Remember to always create complex, strong passwords!
Users can manually change their password upon logon by pressing control-alt-end and following the change password prompts).