From the Windows Start menu, go to Control Panel -> Administrative Tools -> Active Directory User and Computers.
When the Active Directory User and Computers window is displayed, go the Active Directory Users pane (on the right) and select Users.
Right-click the George Washington entry and select Properties from the pop-up menu.
When the George Washington Properties dialog box is displayed, check the Account options section and you can see that the User must change password at next logon check box is enabled, which means George Washington will be required to change his password the next time he logs on.
If you log in as George Washington, you can see that Windows is correctly tracking the entry because the log-in attempt displays the Logon Message dialog box stating, “Your password has expired and must be changed.”
Click OK to close the Logon Message dialog box and to display the Change Password dialog box to provide a new password.
Enter and confirm a new password, but do not provide a value for the Old Password field.
This is first time the user has logged on (since being created over protocol), so supplying an old password value will cause an error message and Windows will ask you to enter the new password again.
Click OK to save the new password and close the Change Password dialog box.
If Windows accepts the new password, a message is displayed stating that the new password has been accepted.
At this point, George Washington's entry has moved from Case 3 (where the Windows entry is stale and the LDAP store is current) to Case 2 (where Windows is current and the LDAP store entry is stale).
George Washington's entry will maintain this condition until the next time he binds to the LDAP store. At that time, the entry will move to the Case 1 (where the entry is current on both Windows and the LDAP store).