Hello,
Thank you for posting here.
Based on the test in my lab.
If I make domain Administrator deny the permission "write pwdLast" for one (www3)of five users (daisy1,daisy2,daisy3,daisy4 and www3), the option “User must change password at next logon” is changed to greyed out.
So we can check if the specific user (that we logon the DC) has deny the permission "write pwdLast" for this one user.
1.Right click this user account\Properties\Security tab\Advanced
2.Effective access tab\Select the specific user (that we logon the DC) and click view effective access.
1.Right click this user account\Properties\Security tab\Advanced
2.Check if there is any Deny entry under Permission Entries.
3.If this deny entry is inherited from its parent OU or domain.
4.Check if there is deny the permission "write pwdLast" for this one user.
If you find the deny permission, we can remove it. Then check if the option “User must change password at next logon” is changed.
Best Regards,
Daisy Zhou