The correct answer is D. Password policies. CompTIA DataSys+ emphasizes that password policies are a core component of authentication and security controls within database systems and enterprise environments. When new users are required to change their credentials for the first time, the system typically enforces predefined password rules. If the new credentials do not meet these rules, the system will reject them automatically.

Password policies define specific requirements such as minimum password length, complexity (use of uppercase letters, lowercase letters, numbers, and special characters), password history, expiration intervals, and restrictions against using previously compromised or common passwords. In many environments, first-time password changes are subject to the strictest enforcement of these rules to ensure strong baseline security from the start of a user’s lifecycle.

Option A, identity management, focuses on the creation, provisioning, and lifecycle management of user identities across systems. While identity management systems initiate the credential change process, they do not usually enforce the detailed rules that cause a password to be rejected. Option B, access controls, govern what resources a user can access after authentication, not whether a password itself is valid. Option C, service accounts, are non-interactive accounts used by applications or services and are unrelated to new end-user credential changes.

DataSys+ documentation highlights that authentication failures during credential updates are most commonly tied to policy enforcement, not permissions or account type. This includes scenarios where users unknowingly violate complexity rules or reuse default or temporary passwords that are explicitly disallowed.

Therefore, the rejection of new credentials during a first-time password change is best explained by password policies, making option D the most accurate and verified answer according to CompTIA DataSys+ principles.