VitalSolutions
asked on
Password not accepted even though it is meeting the complexity requirements
We finally got the approval and implemented a new password policy overnight and today are dealing with many frustrated users because they are lazy and would rather type "summer11" or "password" or even just hit the damn enter key and choose nothing at all.
The issue I am seeing popping up with some users is this: The Password will not be accepted even though it is meeting the complexity requirements of 8 characters or more and any 3 of the 4 upper, lower, num, symbols. They are changing with ctrl atl del.. I know they passwords are good, because I have even tried for them. It just gives the error that it does not meet the complexity. But, I can go into ADUC and manually reset the password to this same password they are trying and it works fine.
Not all users are experiencing this. I also want to say that I think all the machines having the issue are windows 7, but I did not answer all the calls.
Does any one have a clue what might be causing this?
We have 3 DC's, 2 of them 2003 and one is 2008
The issue I am seeing popping up with some users is this: The Password will not be accepted even though it is meeting the complexity requirements of 8 characters or more and any 3 of the 4 upper, lower, num, symbols. They are changing with ctrl atl del.. I know they passwords are good, because I have even tried for them. It just gives the error that it does not meet the complexity. But, I can go into ADUC and manually reset the password to this same password they are trying and it works fine.
Not all users are experiencing this. I also want to say that I think all the machines having the issue are windows 7, but I did not answer all the calls.
Does any one have a clue what might be causing this?
We have 3 DC's, 2 of them 2003 and one is 2008
I can't seem to find an article on this, but I ran into the same problem in Active Directory some time ago. What I found at the time is that some part of the complexity was required within the first 6 characters of the password. I believe that this is due to the desire to protect against some of the weaknesses in NTLM authentiction. See article:
http://www.ethicalhacker.net/content/view/94/24/
So summer11 won't work, but Summer2011 will work. packers1# won't work, but Packers1# will work.
Unfortunately, Microsoft's article http://technet.microsoft.com/en-us/library/cc875814.aspx doesn't speak to any of that, but it does bring up the whole point that the password cannot be the username or the user's first or last name (assuming you have these attributes populated in ADUC).
So my suggestion is to teach them how to introduce some complexity into the beginning of the password.
Here is an excellent handout for the users:
http://qualityplusconsulting.com/res/QP8000-GuidetoPasswordsAndPasswordSecurity.pdf
http://www.ethicalhacker.net/content/view/94/24/
So summer11 won't work, but Summer2011 will work. packers1# won't work, but Packers1# will work.
Unfortunately, Microsoft's article http://technet.microsoft.com/en-us/library/cc875814.aspx doesn't speak to any of that, but it does bring up the whole point that the password cannot be the username or the user's first or last name (assuming you have these attributes populated in ADUC).
So my suggestion is to teach them how to introduce some complexity into the beginning of the password.
Here is an excellent handout for the users:
http://qualityplusconsulting.com/res/QP8000-GuidetoPasswordsAndPasswordSecurity.pdf
Passwords also can't contain the first name, last name, username, or be in the password history. These rules are not enforced when you do a password change.
ASKER
Well I did a quick check and all problem ones are windows 7 and connect to 2008 box. I have already changed there passwords manually, so I cannot test gpupdate. I am thinking I will have more issues though down the road here. I just helped another user that could not change there password (was actually due to "cannot change password" being check off in ADUC), but he was one Windows 7 and the connected to the 2008 DC and was able to change his fine.
I wonder if the 6 beginning characters matter? I thought I also remember something about not having any 3 consecutive characters from their name or user name in the pass. Can any one confirm this? Also thanks for guide as well. The users might enjoy it more than calling me.
Thanks!
I wonder if the 6 beginning characters matter? I thought I also remember something about not having any 3 consecutive characters from their name or user name in the pass. Can any one confirm this? Also thanks for guide as well. The users might enjoy it more than calling me.
Thanks!
ASKER
So, had another user with same issue.
I tried gpupdate and restart, no help.
Tried the first 6 character matching complexity, nothing.
There is nothing related to the user name or logon name in the password
Windows 7 machine. Connected to 2008 box.
I found a weird loophole though. If I use ADUC to reset password to something of my choosing that meets complexity and leave the box check for them change on first logon, when they enter the password they have been trying it works.
I tried gpupdate and restart, no help.
Tried the first 6 character matching complexity, nothing.
There is nothing related to the user name or logon name in the password
Windows 7 machine. Connected to 2008 box.
I found a weird loophole though. If I use ADUC to reset password to something of my choosing that meets complexity and leave the box check for them change on first logon, when they enter the password they have been trying it works.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That's exactly it.
Funny, we just now ran across the same exact thing. 2 seconds later the email came in from experts exchange letting me know something was posted. We had it set to 60 days. We changed to 5 for now and will bump back up later to meet the policy.
Thanks for all your help everyone!
Funny, we just now ran across the same exact thing. 2 seconds later the email came in from experts exchange letting me know something was posted. We had it set to 60 days. We changed to 5 for now and will bump back up later to meet the policy.
Thanks for all your help everyone!
I hope they are connecting to Windows 2008 server.
Also, try issuing gpupdate /force on troublemaking machines and see if it helps..