diff --git a/routers/admin/users.go b/routers/admin/users.go
index fdc4e0e371..2284f21838 100644
--- a/routers/admin/users.go
+++ b/routers/admin/users.go
@@ -79,12 +79,11 @@ func NewUserPost(ctx *context.Context, form auth.AdminCreateUserForm) {
 	}
 
 	u := &models.User{
-		Name:               form.UserName,
-		Email:              form.Email,
-		Passwd:             form.Password,
-		IsActive:           true,
-		LoginType:          models.LoginPlain,
-		MustChangePassword: form.MustChangePassword,
+		Name:      form.UserName,
+		Email:     form.Email,
+		Passwd:    form.Password,
+		IsActive:  true,
+		LoginType: models.LoginPlain,
 	}
 
 	if len(form.LoginType) > 0 {
@@ -95,9 +94,12 @@ func NewUserPost(ctx *context.Context, form auth.AdminCreateUserForm) {
 			u.LoginName = form.LoginName
 		}
 	}
-	if !password.IsComplexEnough(form.Password) {
-		ctx.RenderWithErr(ctx.Tr("form.password_complexity"), tplUserNew, &form)
-		return
+	if u.LoginType == models.LoginPlain {
+		if !password.IsComplexEnough(form.Password) {
+			ctx.RenderWithErr(ctx.Tr("form.password_complexity"), tplUserNew, &form)
+			return
+		}
+		u.MustChangePassword = form.MustChangePassword
 	}
 	if err := models.CreateUser(u); err != nil {
 		switch {
diff --git a/templates/admin/user/new.tmpl b/templates/admin/user/new.tmpl
index b9e326e734..06b7d70efe 100644
--- a/templates/admin/user/new.tmpl
+++ b/templates/admin/user/new.tmpl
@@ -42,7 +42,7 @@
 					<input id="password" name="password" type="password" value="{{.password}}" {{if eq .login_type "0-0"}}required{{end}}>
 				</div>
 
-				<div class="inline field">
+				<div class="inline field local{{if ne .login_type "0-0"}} hide{{end}}">
 					<div class="ui checkbox">
 						<label><strong>{{.i18n.Tr "auth.allow_password_change" }}</strong></label>
 						<input name="must_change_password" type="checkbox" checked>