Solved

Cannot change expired passwords in AD 2003

Posted on 2008-06-13
19
425 Views
Last Modified: 2013-12-04
Hello all,

All of my accounts, including Administrator, have expired on my 2003 AD.  When I attempt to login, I get a message that states I need to change my password.  I enter a new password but it always fails with the "your password does not meet the minimum complexity requirements".

I surpass the complexity requirements as stated in the message:

number of passwords remembered: 5
maximum password age: 60 days
minimum password age: 1 days
minimum password length: 9 characters

I created a 20 character password consisting of random numbers, symbols and letters - some in caps, others in lower case.  No go.  I tried a different combination, still the same error.

I have also tried the following link:
http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2003_ad.htm

The password will not change and since the accounts are all expired, I cannot sign on.  I have local administrator access, but nothing on the domain.  Is GP messed up?

Thanks for your help!
0
Comment
Question by:bkrull72
  • 10
  • 6
  • 3
19 Comments
 
LVL 24

Expert Comment

by:ryansoto
Comment Utility
You shoudl still be able to log on locally as you specified and then change your password in ADUC.
Still looking into why
0
 
LVL 24

Expert Comment

by:ryansoto
Comment Utility
0
 
LVL 24

Expert Comment

by:ryansoto
Comment Utility
This article goes into it a little deeper but basically adjust your security policy down to 0 days to test and then if it works it gives steps on what to do from there....

http://support.microsoft.com/?kbid=273004
0
 

Author Comment

by:bkrull72
Comment Utility
Thanks for your reply Ryan.  The only way I can log on locally is through safe mode, which doesnt allow me to access the domain.  The minimum age should be 1, but I cant verify that since I cant login to the domain.  The error message I receive states that the minimum age is 1.

The kicker here is that Administrator has the same complexity requirements as a regular user.  Not my choice, but was required by the agency I work for.  I'm completely shut out of the domain.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Ryan, what do you think of this idea?

You might have to run a GPOfix at the command prompt. That should reset the Default domain policy. Once done, you might be able to logon to the domain.  If you can do that, you might need to go into active directory users and computers and remove "Password never expires". Then, you can redo your Default domain policy to prompt you when the password expires.

Currently I am running into a issue where you have to logon twice in order for the password policy to kick in. Complex passwords are a Computer policy, not a User policy.

Another thing to consider is the hierarchy of Group policy. A local policy will override a Domain policy. So, if you can logon locally or in safe mode, you can create a local policy on the DC to forget about complex passwords and expired passwords. Then you might be able to remove the lock you have in AD. That may give you an opportunity to get in control of the domain.  

This is a tough one.
0
 
LVL 24

Expert Comment

by:ryansoto
Comment Utility
I would try Chief's suggestion.  It should reset the domain policy and allow you back in.
Per another thread found here
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_21628188.html

Run this syntax if you have exchange
dcgpofix /ignoreshema /Target:Domain

0
 

Author Comment

by:bkrull72
Comment Utility
I'm trying to run the command.  The problem is I can only access the server through Directory Services Restore Mode.  I thought I could access safe mode as Administrator, but I'm receiving a message that the account is disabled.  Great.  I've used the Offline NT Password & Regsitry Editor to make sure Administrator is enabled, which it is, but I keep getting the disabled message.

When I run the DCGPOFIX on the DC, I get a message that says the tool needs to be run on a domain controller?
0
 
LVL 24

Expert Comment

by:ryansoto
Comment Utility
I havent seen it not work like that.  At this point I would look to reset the password with a tool
http://www.lostpassword.com/windows.htm?utm_source=petri&utm_medium=banner&utm_content=v1

If your not willing to go this route I would next call MS and open a support ticket to get the domain up and running.
0
 
LVL 24

Expert Comment

by:ryansoto
Comment Utility
Here is also a step by step to try before my above post-
It will reset your domain admin password but you have to be able to log in onto the machine as a local admin on the local machine.  I believe you said you can do this.

http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2003_ad.htm
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:bkrull72
Comment Utility
I have tried the Petri steps, but domain admin would not reset.  I have used these steps before and they worked fine.  
0
 
LVL 24

Expert Comment

by:ryansoto
Comment Utility
Did you try it on both DC's?
If no go then I woudl either try a tool or call MS to see what can be done
0
 

Author Comment

by:bkrull72
Comment Utility
I was able to get the domain admin account reset using Lost Password.  The downside is that it did not reset the expiration date on the account.  So now it tries to login using the new password, but I'm immediately prompted to enter a new password.  Of course, whatever I enter does not meet the complexity requirements.  
0
 
LVL 24

Expert Comment

by:ryansoto
Comment Utility
Im out of ideas.  Unless someone else has anything I would consider calling MS
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Do you currently have any machines you have logged on as an administrator? If so, do NOT log off.

Try a remote desktop to the server. You should already be active as an administrator. So, If you have the ability to logon with a RD connection, then you can edit the Domain policies that way.

You need the ability to edit the domain policies or meet the complexity requiremnts. Also, you need the ability to unlock the Administrator account. Also, you need the ability to logon locally so you can enter into a safemode.
0
 

Author Comment

by:bkrull72
Comment Utility
All of my clients are prompting for credentials.  I tried remote desktop, net user commands, etc from the client but I am told the password has expired.  I was able to reset domain admin using Lost Password, but I'm still prompted to change the password the first time I sign in.  I then get the "password does not meet complexity requirements".

I know I need to wipe out the GPOs, but I cant get to them.
0
 
LVL 24

Expert Comment

by:ryansoto
Comment Utility
If you can log on in directory services mode you should have access to the OS right?
The GPO are locates in the C:\WINDOWS\SYSVOL\sysvol\domain\Policies folder
You wont be able to tell which one is which but there is where the files are located.
Without having access to active directory you take a crap shoot if you delete them.
I guess the only thing I would be worried about is the default domain policy, the rest can be rebuilt.
Although you can rebuild the policies back to default by running the gpo fix as Chief stated earlier.

0
 

Accepted Solution

by:
bkrull72 earned 0 total points
Comment Utility
This has been resolved.  The system sets the password complexity through GPO, but there was also a PASSFLT loaded on the domain controllers.  I believe between the GPO and the PASSFLT there was a conflict preventing me from changing passwords.  I removed the PASSFLT from the PDC registry, rebooted, and I was able to change the password.

On the PDC's registry, edit:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

Double-click the Notification Packages key and remove the PASSFLT string. Then restart the server.
0
 
LVL 24

Expert Comment

by:ryansoto
Comment Utility
I couldnt find any info on this where did you find it?  Great work!
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Excellent!!
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Event ID: 2005 / Source: Microsoft-Windows-PerfNet 4 35
active directory 11 21
ADFS 3.0 and UPN Problem 6 15
IT Contract Fee 17 53
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Learn about cloud computing and its benefits for small business owners.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now