Solved

Cannot deny user from domain password policy

Posted on 2004-03-25
6
889 Views
Last Modified: 2012-05-04
I have a user who I did not want to apply the domain password policy (complex passwords, password history, etc.)  I enforced the policy, then realized this user account must not use the policy.  I opened the policy from AD users and computers applied to the domain for the password, went into the security tab, added the user account, and denied all for the policy.  I still cannot change the password for this user because an error appears saying "cannot change the password because the password does not meet the password policy requirements."  What am I missing here?
0
Comment
Question by:zbruski
6 Comments
 
LVL 21

Accepted Solution

by:
briancassin earned 250 total points
ID: 10683244
see this

"The Password Cannot Be Changed at This Time" Error Message When You Try to Change a User's Password
View products that this article applies to.
This article was previously published under Q273004
SYMPTOMS
When you try to change a user's password, you may receive the following error message:

The password cannot be changed at this time.
This error can occur when the user is logged on to a client or to the server's console.

When you reset passwords on an account by using the Active Directory Users and Computers snap-in, you may receive the following error message:

Windows can not complete the password change for user name because:
The password does not meet the password policy requirements. Check the minimum password length, password complexity, and password history requirements.
CAUSE
This behavior may occur if the Group Policy object for the user's organizational unit has the Minimum Password Age setting configured as Not Defined. The Default Domain Group Policy object is the default configuration container for users.
RESOLUTION
To resolve this behavior, configure the Minimum Password Age policy setting to 0 days. To do this, define the policy setting, and then configure it. The policy settings should be configured in the Default Domain Group Policy object for users.

To configure the policy setting, follow these steps:
Open Active Directory Users and Computers management console.
Right-click the name of the domain, and then click Properties.

Note If users are configured to a specific organizational unit, select the organizational unit where the users reside.
Click the Group Policy tab, click Default Domain Policy, and then click Edit. The Group Policy Editor opens.
Expand Computer Configuration, click Windows Settings, click Account Policies, and then click Password Policy.
Right-click Minimum Password Age, and then click Security.
Click to select the Define this policy setting check box, and then set the counter to 0 days.

Note0 days is the default policy setting in Default Domain Policy.
After you set the Minimum Password Age setting, the Suggested Value Changes dialog box appears. It indicates that the Maximum Password Age setting will be changed to 30 days.

If you do not change this value, every user who has a password that is 30 days and older receives an error message when they log on that states that their password has expired and that it has to be changed. To set a higher value, click the Maximum Password Age policy that is above the Minimum Password Age policy after the Minimum Password Age setting is applied, and then increase or reduce this setting according to your preferences.

Note You cannot set the Maximum Password Age setting to 0. If you do, this setting will disable the Minimum Password Age policy.
Click OK to close the Security Policy setting.
Close Group Policy Editor and the Active Directory Users and Computers management console.
To update the policy setting, open a command prompt at the domain controller, and then run the following command:
secedit /refreshpolicy machine_policy /enforce

You may have to restart the domain controller for this policy to be updated.
MORE INFORMATION
If no Minimum Password Age setting is wanted, administrators may mistakenly configure this policy setting to "Not Defined". If this policy setting is not defined in Default Domain Policy, password changes cannot occur.

You can obtain more information about Group Policy for Microsoft Windows 2000 from the following locations:
The "Group Policy" section of Chapter 11 in the Windows 2000 Resource Kit's Deployment Planning Guide. To see the online version, visit the following Microsoft Web site:
http://www.microsoft.com/windows2000/techinfo/reskit/dpg/default.asp

The "Group Policy" overview. To see the online version, visit the following Microsoft Web site:
http://www.microsoft.com/windows2000/techinfo/howitworks/management/grouppolicyintro.asp

The "Windows 2000 Group Policy" white paper. To see the online version, visit the following Microsoft Web site:
http://www.microsoft.com/windows2000/techinfo/howitworks/management/grouppolwp.asp


also check this

Cannot Enable the Disabled Active Directory User Accounts Created Using Management Agent
View products that this article applies to.
This article was previously published under Q282224
SYMPTOMS
You created disabled accounts using the Active Directory Management Agent (MA). When you attempt to enable these accounts, you may receive the following error message:

Windows cannot Enable Object Userx because:
Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirement for the domain.
CAUSE
This behavior can occur because a password policy has been set on the domain and the password assigned to the user does not meet this requirement.
RESOLUTION
To resolve this behavior, you must either reset the password to meet the requirement or change the password policy to a less stringent requirement. Select either of the following methods to resolve this behavior:
Steps to Reset the Password
Start the Active Directory Users and Computer administrators tool.
Select a user account under the domain and the container where the user is located.
Right-click on the user and select the option to reset the password.
Type in the password that follows your security policy. If the Password Complexity feature is enabled, you need to have one capital letter and a number included in the password. The Password History or the Length Requirements features may also cause the preceding error message.
Confirm the password and click OK to close the dialog box.
Steps to Verify and Change the Domain Security Settings Password
Open the Active Directory Users and Computers management console.
Right-click the name of the domain and click Properties.
Click the Group Policy tab.
Click Default Domain Policy.
Click Edit to open the Group Policy Editor.

NOTE: Security policies can only be applied at the domain level.
Expand Computer Configuration.
Click Windows Settings.
Click Security Settings.
Click Account Policies.
Click Password Policy.
Check the settings of the Minimum Password Length, Password History, and Password Complexity features.
To view the settings and to change them, double-click on each policy.
Click OK to close the Security Policy setting.
Close Group Policy Editor.
Close the Active Directory Users and Computers management console.
To update the policy setting, refer to the next section entitled: "Steps to Refreshing the Machine Policy on a Domain Controller".
MORE INFORMATION
Steps to Refreshing the Machine Policy on a Domain Controller
Open a command prompt at the domain controller.
Type: secedit /refreshpolicy machine_policy /enforce
The following message should be displayed: "Group policy propagation from the domain has been initiated for this computer. It may take a few minutes for the propagation to complete and the new policy to take effect. Please check Application Log for errors, if any."
0
 

Expert Comment

by:Antowh76
ID: 10683404
Just deny "apply" the policy for that user, not more.
Policies are applied after an amount of time (I don't remember after how long),after a logon or after the command from the prompt "secedit /refreshpolicy user_policy".
So, try the second or the third solution and let us know the result.

Regards, Antonio
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10683448
Policies are refreshed between 90 and 120 minutes after configuring them, unless you push the policy out with a command line..

Password policies are always applied at the Domain Level, so there is no way to create a separate OU for this user and separate them from the pack..  But you might use the Deny permission for that specific user, as mentioned above..  never tried it, but it might just work..

FE
0
 

Author Comment

by:zbruski
ID: 10683510
Applying additional policies with slacker password requirements and denying policies to both the domain and OU (knew password policy for domain would override but still gave it a shot) all failed.  I had to end up making the first domain policy for the password less restrictive then I could change it back to the original password.  The correct answer was the last portion of  briancassin's response.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now