can't change password on WIN7 workstation on SBS 2008 domain

The console reports on the group policy it expects to be in place, but if a custom GP was created outside of SBS then the console will be unaware of that.

Fire up the Group Policy Management Console (GPMC) in the Admin tools and use the Group Policy Results Wizard to see which policies are being applied to that user on that machine. You can view the resultant set of policies, see what the complexity is set to, and see which policy it is pulling that setting from. Once you know where that policy got set you can go and remove it or change it as necessary.

-Cliff

cgaliher: thanks for the response. Could you help me drill down a bit more? I used the results wizard as you suggested. I have tabs for Summary and Settings. I believe I've looked through the details on both of those tabs and I can see nothing related to password complexity.

More information. I thought I'd try removing, then reattaching this user's workstation from the domain. Microsoft had done that in the past to resolve GP issues, so I thought it worth a try.

After reconnecting, I was able to change the password! I thought the problem was solved. I called the user in to have him change his pw to what he wanted. He couldn't. I tried again. I couldn't My guess is that I was able to change it before the Group Policies got re-updated on his workstation.

Hopes that helps. Anybody?

Sorry, I thought I closed this one ... Yup, it was the 2-day thing. I had the user go in and try it again after a few days and he did it, no problem. I seem to be ranting on MIcrosoft a lot lately, but for one thing, I don't get the security advantage in not letting a user change his/her password for two days. What if the user simply forgot what he/she changed it do? Wait 2 days or contact the system administrator? Again, what's the point/benefit? Secondly, and even more irritating, what's with the error message about the password not satisfying the complexity criteria? This problem has absolutely nothing to do with complexity criteria and the message has put me on a week-long wild goose chase. Why not a message that says, "password may not be changed for X days ..."? end-of-rant.

Glad to hear that worked for you. As for the logic behind it:

If you set the minimum password age to '0' the user can change their password as often as they like.

However, according to Group Policy documentation, if the admin sets or changes a user's password and checks the box "the user must change their password at next logon", it is only enforced if the minimum password age is set to '1' or greater. Therefore best practice states that it should not be set to 0.

The other issue is users like to always use the same password. If you have a policy that forces users to change their password every 'x' days and cannot use the same password for 'Y' times, with minimum age set to '0', the user can repeatedly change their password 'y' times until they can use the same one again. With the default being 24 times, I really can't see a user doing so or even figuring that out, but it is reason #2 for not setting it to 0.

I agree it can be frustrating and some may not agree but there was thought behind the default policy settings. In a non-SBS domain you would manually enable and set the policy settings. SBS has many defaults options preset.

Thanks for the reply. I also think it highly unlikely for a user to cycle through 24 passwords to get back to their "favorite." In fact, I doubt many people even know this magic number. We are fixing a non-problem and creating a problem is the process. In any case, a propererror message would be nice.

Thanks again!

>>"We are fixing a non-problem and creating a problem is the process"
Actually the policy needs to be in place for reason #1 (force user to change password), reason #2 (24 passwords) I don't see either.

SBS 2003 prompted you "do you want to enable password security" at some point recommended you review the policies (i.e. defaults) if you said yes. I don't thing 2008 does this, but even that would be a good feature.