• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 347
  • Last Modified:

Meeting Password Complexity Requirements on a Workstation Computer

I'm running a Windows Server 2003 AD Environment with five workstations and one server.  For security we use the built-in password requirments including:
 - User must change password every 90 days
 - Password must be at least 7 characters long
 - Password cannot have been used within last 12 passwords
 - Password must contain 3 of the follwing four items:
  * Uppercase English characters
  * Lowercase English characters
  * Numbers
  * Punctuation
 - Password cannot contain user name/full name

The problem is, when it comes time for a user to change their password, they can't.  Any password chosen, regardless of whether it meets the complexity requirements, is denied.  This only happens at a client workstation.  I can set the password to ANYthing valid on the server.

When I try to change the password on the workstation, I recieve the error:
 Your password must be at least 7 characters; cannot repeat any of your previous 12 passwords; must contain capitals, numberals or punctuation; and cannot contain account or full name.  Please type a different password.  Type password which meets these requirements in both text boxes.
0
lordcelerborn
Asked:
lordcelerborn
1 Solution
 
SembeeCommented:
Does it let you change the password at all?
For example if you entered something like

!2S%d5zx

Does it let you change it?

What about (just in case you have made an error)

!QWE?-123lkj

(Which is three punctuation, three upper, three lower and three numbers).

You need to verify whether it is a general problem with changing password or just complexity requirements.

I will say that those requirements are quite tough - even I am not that mean to my users.
Password complexity is a difficult business. Make it too easy and compromised accounts could cause a problem. Make it too tough and you have no security as users will write them down on post it notes.

Simon.
0
 
lordcelerbornAuthor Commented:
Well, thanks to Simon's reccomendation to check that Complexity Requirements was the ONLY factor, I noticed a minimum password age of 89 days (compared to the maximum age of 90), giving users a one day password change window.

Now that I changed it, the passwords are working fine.  As far as the "harshness" of my password requirements, I partially agree.  Unfortunately, you cannot adjust the complexity requirements (the part which requires three of the four character types).  Personally I would only want two, but 2003 Server doesn't let you change it.

Thanks,
Mike
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now