How to enable password group policy for server 2003 and exclude some users

We are trying to enable a server 2003 group policy to force password changes every 90 days.  We also wish to exclude some users from the policy.  We have done this, (we think) on our domain but when we try to change a regular users password, we get an error.  It says the new password does not meet the complexity requirements for lenght, history or complexity when we know that it does.
Who is Participating?
nsx106052Connect With a Mentor Commented:
A password policy will need to be set for the default domain policy.  As far as excluding members from changing this you will need to make sure they are not a domain or enterprise admin.
spollakAuthor Commented:
We have already enable the password policy but when we try to test it, the users that we want to comply with the policy will not work properly.  Our test user cannot get past the complexity requirements for the new password and the old one still works no matter what we try as a password.  We have excluded administrators from the policy and they can create a password that is not complex but the average user cannot.
ChiefITConnect With a Mentor Commented:
Under Active Directory Users and computers on each user, you can select "password never expires". That overrides the default domain policy. This includes password age, complexity, ect....
The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

spollakAuthor Commented:
We would like to leave this question open, because we don't feel a satisfactory solution has been provided yet.  We have created a policy which requires complex passwords and have exempted the administrators group from this policy, and this part works fine.  Domain users are required to change and create complex passwords, while a given group, in this case administrators, are not, which is what we wanted to achieve.  The issue we are having is that when domain users are required to change their password, they cannot create a password that meets the complexity requirements no matter what they enter, so they cannot successfully change their password.
Glen KnightConnect With a Mentor Commented:
Ok, you can only have one password policy per domain, the only way to exclude users from the policy is to check the "password never expires" under properties then account section.

To set the policy you would use group policy, and in the section computer configuration > Windows Settings > Security Settings > Account Policies/Password Policy youwould make your settings.

You would then apply this at domain level.
Henrik JohanssonConnect With a Mentor Systems engineerCommented:
A limitation in Windows Server 2003 AD is that you have one password policy in the domain.
In Windows Server 2008 AD, you can have fine-grained password policy objects making it possibly to have multiple password policies in the domain.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.