Suddenly no users are able to log in. Federation services are ok, trusts are in place. When a password is reset it suddenly starts working again for that user. A full password resync then restores access.
Run the script C:\IAMCloud\DC\pwpol.ps1.
The exact powershell command is:
Get-ADDefaultDomainPasswordPolicy | Set-ADDefaultDomainPasswordPolicy -ComplexityEnabled $false -PasswordHistoryCount 0 -MinPasswordLength 3 -MaxPasswordAge 10000.00:00:00 -MinPasswordAge 0
This can be caused by the password policy on the CDC, or the default settings being incorrect.
When a CDC is built there is a script that is run which means the password policy is disabled and extended. The issue here is that the password expires after 42 days by default on a CDC.
Without this script running after 42 days users are forced to reset. Whilst they are expired users are unable to log in as AD is blocking it.
To check if this is the problem, go to the CDC and load up Group Policy Management. Click on Default Domain Policy and click Settings. At that point go to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies/Password Policy and click Show.
You will see the default settings. The important one is Maximum Password Age, however the IAM Cloud Settings should be applied.