Solved

Windows Logon - Actived Directory Password Policy Issues

Posted on 2010-09-17
6
479 Views
Last Modified: 2012-06-22
Dear Experts,

I have a very irritating issue that I am unable to solve and would very much appreciate some help with if at all possible.

I have 3 Domain Controllers running Windows Server 2008 R2 32bit Edition with you bog standard Active Directory Setup.

We have our password policy set to expire after 50 days and at 14 days to expiry we prompt our users to change their password.

We have a password policy of a minimum of 6 characters with numbers, letters and an uppercase and also we have set the server to remember the last seven used passwords.

If at any point a user tries to change their password in the 14 day grace period it won't work and throws out the usual password complexity error even though they are using the correct procedures. Just in case users are being users, I have gone to their workstation and entered something totally unique (one of our admin passwords) and it still doesn't work. If the users let the password run out to the last day and try to enter a new one, we have the same problem.

As a hopeless work around we get the users come to our desks and enter a new password from the active directory which then keeps them ticking over for the next 50 days.

We would like to lower the password expiry limit, but as people have huge issues adding a new password it seems a bit pointless at this stage.

Can anyone help with this at all - the event logs don't really seem to be any use and just state that they are not following the password requirements.

Many thanks!
0
Comment
Question by:rosshuts
  • 3
  • 2
6 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 33699708
OK I assume that you have set the password policy in the default domain policy - (unless you have implimented fine grained password policies then you can only have a single policy per domain)

When you say
"We have a password policy of a minimum of 6 characters with numbers, letters and an uppercase and also we have set the server to remember the last seven used passwords."
I assume you have set enabled password complexity. - make sure that the users are entering passwords which meet the following conditions
1. At least one lowercase letter
2. At least one uppercase letter
3. At least one number 0-9
4. At least one symbol eg ($ ! # )
three out of the above four must be met
0
 

Author Comment

by:rosshuts
ID: 33699792
Hi There,

Thanks for your quick response.

Sorry I should have said that we have enabled password complexity.

The passwords the users are trying do meet 3 out of the 4 and also our domain admin password meets the requirements as well. When I try and use the Dom Admin password on one of the users who needs to set a new password it fails or at least the error message pops up stating we haven't met the requirements.

I have also tried complex ones like ExL0gs1! and P4ssw0rd2010 and even simpler ones like Today17 which used to work perfectly.

I see where your coming from in that the only reason the system would reject the passwords if we don't meet the complexity requirements but I am 100% sure we are.

Thanks.
0
 
LVL 5

Accepted Solution

by:
JHalliday earned 500 total points
ID: 33700009
Have you checked to see if you have set the minimum password age to be more than 1 day ? If this is set too high (say 40 days) you will get an error message if you try and change the password earlier.  Ideally this should be set to 1 day.
Capture.JPG
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 

Author Comment

by:rosshuts
ID: 33700132
Hi,

Just checked the GPO and it was set to 50 days minimum and the maximum was 55.

Changed the minimum to 1 day and went to the user who had the issue this morning and asked him to logout and try a new password and it worked immediately!!

Thanks very much for your help on this one!!!

Cheers.
0
 

Author Closing Comment

by:rosshuts
ID: 33700134
Awesome!
0
 
LVL 5

Expert Comment

by:JHalliday
ID: 33700948
No problem.  Glad you have got it sorted :)
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question