I'm in the midst of rolling AD SS out and as I remove the pw block from users ad accounts, many are being in effect locked immediately before able to register with AD SS.  As I have it configured now, when they attempt to sign in the first time, they get a password has expired error, contact your sys admin.  Most users aren't on this domain, so they can't ctrl alt delete and change it that way either.

Is there a setting I'm missing somewhere to allow them to register and unlock simultaneously?