[keycloak-user] Keycloak self registration and Active Directory issues

[Chris Smith]

My requirements are
  1. Active Directory federation (really only as a Kerberos Server...  I have a Windoze Only requirement imposed on me)
  2. Keycloak self-regestration for users
  3. Application and user maintenance done in as much Out Of Box Keycloak as possible
  4. Application Admins should never have access to AD management.

I've set as many AD password policies as I can easily find or google to be as permissive as possible
  Policy
  Enforce password history, 0 
  passwords remembered, 0
  Maximum password age, 0
  Minimum password age, 0 days
  Minimum password length, 1 characters
  Password must meet complexity requirements, Disabled
  Store passwords using reversible encryption, Not Defined

I've set KC password policies 
  Minimum Length          8
  Uppercase Characters  1
  Lowercase Characters  1
  Expire Password         30
  Special Characters       1
  Not Username	
  Not Recently Used    25
  Digits                             1

KC Authentication 
  Required Action  
    Update Password disabled

So when a new user users self-registration, in AD, the user account is set to require password Change
  Any advice on how to Change that

In Active Directory I remove the "Require password Change" on the user account 
  The KC user login fails with "invalid User or Password" error

If I try to Change the new Users Password in the KC Console, 
  Error! Could not modify attribute for DN [CN=xxx.yyyy,CN=Users,DC=xxx-sso,DC=com]
  Any Advice on what is going on?