Solved

Windows Logon - Actived Directory Password Policy Issues

Posted on 2010-09-17
6
475 Views
Last Modified: 2012-06-22
Dear Experts,

I have a very irritating issue that I am unable to solve and would very much appreciate some help with if at all possible.

I have 3 Domain Controllers running Windows Server 2008 R2 32bit Edition with you bog standard Active Directory Setup.

We have our password policy set to expire after 50 days and at 14 days to expiry we prompt our users to change their password.

We have a password policy of a minimum of 6 characters with numbers, letters and an uppercase and also we have set the server to remember the last seven used passwords.

If at any point a user tries to change their password in the 14 day grace period it won't work and throws out the usual password complexity error even though they are using the correct procedures. Just in case users are being users, I have gone to their workstation and entered something totally unique (one of our admin passwords) and it still doesn't work. If the users let the password run out to the last day and try to enter a new one, we have the same problem.

As a hopeless work around we get the users come to our desks and enter a new password from the active directory which then keeps them ticking over for the next 50 days.

We would like to lower the password expiry limit, but as people have huge issues adding a new password it seems a bit pointless at this stage.

Can anyone help with this at all - the event logs don't really seem to be any use and just state that they are not following the password requirements.

Many thanks!
0
Comment
Question by:rosshuts
  • 3
  • 2
6 Comments
 
LVL 70

Expert Comment

by:KCTS
Comment Utility
OK I assume that you have set the password policy in the default domain policy - (unless you have implimented fine grained password policies then you can only have a single policy per domain)

When you say
"We have a password policy of a minimum of 6 characters with numbers, letters and an uppercase and also we have set the server to remember the last seven used passwords."
I assume you have set enabled password complexity. - make sure that the users are entering passwords which meet the following conditions
1. At least one lowercase letter
2. At least one uppercase letter
3. At least one number 0-9
4. At least one symbol eg ($ ! # )
three out of the above four must be met
0
 

Author Comment

by:rosshuts
Comment Utility
Hi There,

Thanks for your quick response.

Sorry I should have said that we have enabled password complexity.

The passwords the users are trying do meet 3 out of the 4 and also our domain admin password meets the requirements as well. When I try and use the Dom Admin password on one of the users who needs to set a new password it fails or at least the error message pops up stating we haven't met the requirements.

I have also tried complex ones like ExL0gs1! and P4ssw0rd2010 and even simpler ones like Today17 which used to work perfectly.

I see where your coming from in that the only reason the system would reject the passwords if we don't meet the complexity requirements but I am 100% sure we are.

Thanks.
0
 
LVL 5

Accepted Solution

by:
JHalliday earned 500 total points
Comment Utility
Have you checked to see if you have set the minimum password age to be more than 1 day ? If this is set too high (say 40 days) you will get an error message if you try and change the password earlier.  Ideally this should be set to 1 day.
Capture.JPG
0
Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

 

Author Comment

by:rosshuts
Comment Utility
Hi,

Just checked the GPO and it was set to 50 days minimum and the maximum was 55.

Changed the minimum to 1 day and went to the user who had the issue this morning and asked him to logout and try a new password and it worked immediately!!

Thanks very much for your help on this one!!!

Cheers.
0
 

Author Closing Comment

by:rosshuts
Comment Utility
Awesome!
0
 
LVL 5

Expert Comment

by:JHalliday
Comment Utility
No problem.  Glad you have got it sorted :)
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now