Interesting. It sounds like the AD flag to require a password change at next logon is set for new users, which is a pretty common AD config. The AD team confirmed that's not the case?
@alexjdale They have confirmed so. These are users that have previously used their logins on campus. Weird issue :/
Interesting. I have run into this over the last 12 months or so on our lab Macs, but don't yet have a solution.
The issue was present in macOS 10.12 and remains after upgrades to 10.14. We use an AD binding script rather than a configuration profile.
Incidentally, I've never seen the issue on our staff, non-lab Macs. The only difference there is that we re-use values for the uidNumber and gidNumber attributes in AD from our LDAP server (used for our linux machines). Our lab iMacs use system-generated values for these attributes.
The plan here is to move to either NoMAD or Jamf Connect in the next year or so and come away from AD binding. That project will also involve us leveraging the Jamf AD-CS Connector as our staff Wi-Fi network relies on device-based authentication from domain joined computers.

Looks like someone else has seen the issue in this thread.