Solved

Cannot change expired passwords in AD 2003

Posted on 2008-06-13
19
432 Views
Last Modified: 2013-12-04
Hello all,

All of my accounts, including Administrator, have expired on my 2003 AD.  When I attempt to login, I get a message that states I need to change my password.  I enter a new password but it always fails with the "your password does not meet the minimum complexity requirements".

I surpass the complexity requirements as stated in the message:

number of passwords remembered: 5
maximum password age: 60 days
minimum password age: 1 days
minimum password length: 9 characters

I created a 20 character password consisting of random numbers, symbols and letters - some in caps, others in lower case.  No go.  I tried a different combination, still the same error.

I have also tried the following link:
http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2003_ad.htm

The password will not change and since the accounts are all expired, I cannot sign on.  I have local administrator access, but nothing on the domain.  Is GP messed up?

Thanks for your help!
0
Comment
Question by:bkrull72
  • 10
  • 6
  • 3
19 Comments
 
LVL 24

Expert Comment

by:ryansoto
ID: 21782896
You shoudl still be able to log on locally as you specified and then change your password in ADUC.
Still looking into why
0
 
LVL 24

Expert Comment

by:ryansoto
ID: 21782910
0
 
LVL 24

Expert Comment

by:ryansoto
ID: 21782919
This article goes into it a little deeper but basically adjust your security policy down to 0 days to test and then if it works it gives steps on what to do from there....

http://support.microsoft.com/?kbid=273004
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:bkrull72
ID: 21783657
Thanks for your reply Ryan.  The only way I can log on locally is through safe mode, which doesnt allow me to access the domain.  The minimum age should be 1, but I cant verify that since I cant login to the domain.  The error message I receive states that the minimum age is 1.

The kicker here is that Administrator has the same complexity requirements as a regular user.  Not my choice, but was required by the agency I work for.  I'm completely shut out of the domain.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 21784462
Ryan, what do you think of this idea?

You might have to run a GPOfix at the command prompt. That should reset the Default domain policy. Once done, you might be able to logon to the domain.  If you can do that, you might need to go into active directory users and computers and remove "Password never expires". Then, you can redo your Default domain policy to prompt you when the password expires.

Currently I am running into a issue where you have to logon twice in order for the password policy to kick in. Complex passwords are a Computer policy, not a User policy.

Another thing to consider is the hierarchy of Group policy. A local policy will override a Domain policy. So, if you can logon locally or in safe mode, you can create a local policy on the DC to forget about complex passwords and expired passwords. Then you might be able to remove the lock you have in AD. That may give you an opportunity to get in control of the domain.  

This is a tough one.
0
 
LVL 24

Expert Comment

by:ryansoto
ID: 21787203
I would try Chief's suggestion.  It should reset the domain policy and allow you back in.
Per another thread found here
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_21628188.html

Run this syntax if you have exchange
dcgpofix /ignoreshema /Target:Domain

0
 

Author Comment

by:bkrull72
ID: 21793882
I'm trying to run the command.  The problem is I can only access the server through Directory Services Restore Mode.  I thought I could access safe mode as Administrator, but I'm receiving a message that the account is disabled.  Great.  I've used the Offline NT Password & Regsitry Editor to make sure Administrator is enabled, which it is, but I keep getting the disabled message.

When I run the DCGPOFIX on the DC, I get a message that says the tool needs to be run on a domain controller?
0
 
LVL 24

Expert Comment

by:ryansoto
ID: 21794214
I havent seen it not work like that.  At this point I would look to reset the password with a tool
http://www.lostpassword.com/windows.htm?utm_source=petri&utm_medium=banner&utm_content=v1

If your not willing to go this route I would next call MS and open a support ticket to get the domain up and running.
0
 
LVL 24

Expert Comment

by:ryansoto
ID: 21794248
Here is also a step by step to try before my above post-
It will reset your domain admin password but you have to be able to log in onto the machine as a local admin on the local machine.  I believe you said you can do this.

http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2003_ad.htm
0
 

Author Comment

by:bkrull72
ID: 21794415
I have tried the Petri steps, but domain admin would not reset.  I have used these steps before and they worked fine.  
0
 
LVL 24

Expert Comment

by:ryansoto
ID: 21794501
Did you try it on both DC's?
If no go then I woudl either try a tool or call MS to see what can be done
0
 

Author Comment

by:bkrull72
ID: 21796456
I was able to get the domain admin account reset using Lost Password.  The downside is that it did not reset the expiration date on the account.  So now it tries to login using the new password, but I'm immediately prompted to enter a new password.  Of course, whatever I enter does not meet the complexity requirements.  
0
 
LVL 24

Expert Comment

by:ryansoto
ID: 21796714
Im out of ideas.  Unless someone else has anything I would consider calling MS
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 21800342
Do you currently have any machines you have logged on as an administrator? If so, do NOT log off.

Try a remote desktop to the server. You should already be active as an administrator. So, If you have the ability to logon with a RD connection, then you can edit the Domain policies that way.

You need the ability to edit the domain policies or meet the complexity requiremnts. Also, you need the ability to unlock the Administrator account. Also, you need the ability to logon locally so you can enter into a safemode.
0
 

Author Comment

by:bkrull72
ID: 21802506
All of my clients are prompting for credentials.  I tried remote desktop, net user commands, etc from the client but I am told the password has expired.  I was able to reset domain admin using Lost Password, but I'm still prompted to change the password the first time I sign in.  I then get the "password does not meet complexity requirements".

I know I need to wipe out the GPOs, but I cant get to them.
0
 
LVL 24

Expert Comment

by:ryansoto
ID: 21803943
If you can log on in directory services mode you should have access to the OS right?
The GPO are locates in the C:\WINDOWS\SYSVOL\sysvol\domain\Policies folder
You wont be able to tell which one is which but there is where the files are located.
Without having access to active directory you take a crap shoot if you delete them.
I guess the only thing I would be worried about is the default domain policy, the rest can be rebuilt.
Although you can rebuild the policies back to default by running the gpo fix as Chief stated earlier.

0
 

Accepted Solution

by:
bkrull72 earned 0 total points
ID: 21804081
This has been resolved.  The system sets the password complexity through GPO, but there was also a PASSFLT loaded on the domain controllers.  I believe between the GPO and the PASSFLT there was a conflict preventing me from changing passwords.  I removed the PASSFLT from the PDC registry, rebooted, and I was able to change the password.

On the PDC's registry, edit:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

Double-click the Notification Packages key and remove the PASSFLT string. Then restart the server.
0
 
LVL 24

Expert Comment

by:ryansoto
ID: 21804105
I couldnt find any info on this where did you find it?  Great work!
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 21804572
Excellent!!
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question