How to enable password group policy for server 2003 and exclude some users

We are trying to enable a server 2003 group policy to force password changes every 90 days.  We also wish to exclude some users from the policy.  We have done this, (we think) on our domain but when we try to change a regular users password, we get an error.  It says the new password does not meet the complexity requirements for lenght, history or complexity when we know that it does.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

A password policy will need to be set for the default domain policy.  As far as excluding members from changing this you will need to make sure they are not a domain or enterprise admin.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
spollakAuthor Commented:
We have already enable the password policy but when we try to test it, the users that we want to comply with the policy will not work properly.  Our test user cannot get past the complexity requirements for the new password and the old one still works no matter what we try as a password.  We have excluded administrators from the policy and they can create a password that is not complex but the average user cannot.
Under Active Directory Users and computers on each user, you can select "password never expires". That overrides the default domain policy. This includes password age, complexity, ect....
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

spollakAuthor Commented:
We would like to leave this question open, because we don't feel a satisfactory solution has been provided yet.  We have created a policy which requires complex passwords and have exempted the administrators group from this policy, and this part works fine.  Domain users are required to change and create complex passwords, while a given group, in this case administrators, are not, which is what we wanted to achieve.  The issue we are having is that when domain users are required to change their password, they cannot create a password that meets the complexity requirements no matter what they enter, so they cannot successfully change their password.
Glen KnightCommented:
Ok, you can only have one password policy per domain, the only way to exclude users from the policy is to check the "password never expires" under properties then account section.

To set the policy you would use group policy, and in the section computer configuration > Windows Settings > Security Settings > Account Policies/Password Policy youwould make your settings.

You would then apply this at domain level.
Henrik JohanssonSystems engineerCommented:
A limitation in Windows Server 2003 AD is that you have one password policy in the domain.
In Windows Server 2008 AD, you can have fine-grained password policy objects making it possibly to have multiple password policies in the domain.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.