Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Cannot change expired passwords in AD 2003

Posted on 2008-06-13
19
Medium Priority
?
437 Views
Last Modified: 2013-12-04
Hello all,

All of my accounts, including Administrator, have expired on my 2003 AD.  When I attempt to login, I get a message that states I need to change my password.  I enter a new password but it always fails with the "your password does not meet the minimum complexity requirements".

I surpass the complexity requirements as stated in the message:

number of passwords remembered: 5
maximum password age: 60 days
minimum password age: 1 days
minimum password length: 9 characters

I created a 20 character password consisting of random numbers, symbols and letters - some in caps, others in lower case.  No go.  I tried a different combination, still the same error.

I have also tried the following link:
http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2003_ad.htm

The password will not change and since the accounts are all expired, I cannot sign on.  I have local administrator access, but nothing on the domain.  Is GP messed up?

Thanks for your help!
0
Comment
Question by:bkrull72
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 6
  • 3
19 Comments
 
LVL 24

Expert Comment

by:ryansoto
ID: 21782896
You shoudl still be able to log on locally as you specified and then change your password in ADUC.
Still looking into why
0
 
LVL 24

Expert Comment

by:ryansoto
ID: 21782910
0
 
LVL 24

Expert Comment

by:ryansoto
ID: 21782919
This article goes into it a little deeper but basically adjust your security policy down to 0 days to test and then if it works it gives steps on what to do from there....

http://support.microsoft.com/?kbid=273004
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 

Author Comment

by:bkrull72
ID: 21783657
Thanks for your reply Ryan.  The only way I can log on locally is through safe mode, which doesnt allow me to access the domain.  The minimum age should be 1, but I cant verify that since I cant login to the domain.  The error message I receive states that the minimum age is 1.

The kicker here is that Administrator has the same complexity requirements as a regular user.  Not my choice, but was required by the agency I work for.  I'm completely shut out of the domain.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 21784462
Ryan, what do you think of this idea?

You might have to run a GPOfix at the command prompt. That should reset the Default domain policy. Once done, you might be able to logon to the domain.  If you can do that, you might need to go into active directory users and computers and remove "Password never expires". Then, you can redo your Default domain policy to prompt you when the password expires.

Currently I am running into a issue where you have to logon twice in order for the password policy to kick in. Complex passwords are a Computer policy, not a User policy.

Another thing to consider is the hierarchy of Group policy. A local policy will override a Domain policy. So, if you can logon locally or in safe mode, you can create a local policy on the DC to forget about complex passwords and expired passwords. Then you might be able to remove the lock you have in AD. That may give you an opportunity to get in control of the domain.  

This is a tough one.
0
 
LVL 24

Expert Comment

by:ryansoto
ID: 21787203
I would try Chief's suggestion.  It should reset the domain policy and allow you back in.
Per another thread found here
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_21628188.html

Run this syntax if you have exchange
dcgpofix /ignoreshema /Target:Domain

0
 

Author Comment

by:bkrull72
ID: 21793882
I'm trying to run the command.  The problem is I can only access the server through Directory Services Restore Mode.  I thought I could access safe mode as Administrator, but I'm receiving a message that the account is disabled.  Great.  I've used the Offline NT Password & Regsitry Editor to make sure Administrator is enabled, which it is, but I keep getting the disabled message.

When I run the DCGPOFIX on the DC, I get a message that says the tool needs to be run on a domain controller?
0
 
LVL 24

Expert Comment

by:ryansoto
ID: 21794214
I havent seen it not work like that.  At this point I would look to reset the password with a tool
http://www.lostpassword.com/windows.htm?utm_source=petri&utm_medium=banner&utm_content=v1

If your not willing to go this route I would next call MS and open a support ticket to get the domain up and running.
0
 
LVL 24

Expert Comment

by:ryansoto
ID: 21794248
Here is also a step by step to try before my above post-
It will reset your domain admin password but you have to be able to log in onto the machine as a local admin on the local machine.  I believe you said you can do this.

http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2003_ad.htm
0
 

Author Comment

by:bkrull72
ID: 21794415
I have tried the Petri steps, but domain admin would not reset.  I have used these steps before and they worked fine.  
0
 
LVL 24

Expert Comment

by:ryansoto
ID: 21794501
Did you try it on both DC's?
If no go then I woudl either try a tool or call MS to see what can be done
0
 

Author Comment

by:bkrull72
ID: 21796456
I was able to get the domain admin account reset using Lost Password.  The downside is that it did not reset the expiration date on the account.  So now it tries to login using the new password, but I'm immediately prompted to enter a new password.  Of course, whatever I enter does not meet the complexity requirements.  
0
 
LVL 24

Expert Comment

by:ryansoto
ID: 21796714
Im out of ideas.  Unless someone else has anything I would consider calling MS
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 21800342
Do you currently have any machines you have logged on as an administrator? If so, do NOT log off.

Try a remote desktop to the server. You should already be active as an administrator. So, If you have the ability to logon with a RD connection, then you can edit the Domain policies that way.

You need the ability to edit the domain policies or meet the complexity requiremnts. Also, you need the ability to unlock the Administrator account. Also, you need the ability to logon locally so you can enter into a safemode.
0
 

Author Comment

by:bkrull72
ID: 21802506
All of my clients are prompting for credentials.  I tried remote desktop, net user commands, etc from the client but I am told the password has expired.  I was able to reset domain admin using Lost Password, but I'm still prompted to change the password the first time I sign in.  I then get the "password does not meet complexity requirements".

I know I need to wipe out the GPOs, but I cant get to them.
0
 
LVL 24

Expert Comment

by:ryansoto
ID: 21803943
If you can log on in directory services mode you should have access to the OS right?
The GPO are locates in the C:\WINDOWS\SYSVOL\sysvol\domain\Policies folder
You wont be able to tell which one is which but there is where the files are located.
Without having access to active directory you take a crap shoot if you delete them.
I guess the only thing I would be worried about is the default domain policy, the rest can be rebuilt.
Although you can rebuild the policies back to default by running the gpo fix as Chief stated earlier.

0
 

Accepted Solution

by:
bkrull72 earned 0 total points
ID: 21804081
This has been resolved.  The system sets the password complexity through GPO, but there was also a PASSFLT loaded on the domain controllers.  I believe between the GPO and the PASSFLT there was a conflict preventing me from changing passwords.  I removed the PASSFLT from the PDC registry, rebooted, and I was able to change the password.

On the PDC's registry, edit:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

Double-click the Notification Packages key and remove the PASSFLT string. Then restart the server.
0
 
LVL 24

Expert Comment

by:ryansoto
ID: 21804105
I couldnt find any info on this where did you find it?  Great work!
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 21804572
Excellent!!
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Here's a look at newsworthy articles and community happenings during the last month.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question