Password not accepted even though it is meeting the complexity requirements

Posted on 2011-10-07
Last Modified: 2012-05-12
We finally got the approval and implemented a new password policy overnight and today are dealing with many frustrated users because they are lazy and would rather type "summer11" or "password" or even just hit the damn enter key and choose nothing at all.

The issue I am seeing popping up with some users is this: The Password will not be accepted even though it is meeting the complexity requirements of 8 characters or more and any 3 of the 4 upper, lower, num, symbols. They are changing with ctrl atl del.. I know they passwords are good, because I have even tried for them. It just gives the error that it does not meet the complexity. But, I can go into ADUC and manually reset the password to this same password they are trying and it works fine.

Not all users are experiencing this. I also want to say that I think all the machines having the issue are windows 7, but I did not answer all the calls.

Does any one have a clue what might be causing this?

We have 3 DC's, 2 of them 2003 and one is 2008

Question by:VitalSolutions
    LVL 9

    Expert Comment

    My question is which DC are Windows 7 Machines connected to.
    I hope they are connecting to Windows 2008 server.

    Also, try issuing gpupdate /force on troublemaking machines and see if it helps..
    LVL 4

    Expert Comment

    by:Felicia King
    I can't seem to find an article on this, but I ran into the same problem in Active Directory some time ago. What I found at the time is that some part of the complexity was required within the first 6 characters of the password. I believe that this is due to the desire to protect against some of the weaknesses in NTLM authentiction. See article:

    So summer11 won't work, but Summer2011 will work. packers1# won't work, but Packers1# will work.
    Unfortunately, Microsoft's article doesn't speak to any of that, but it does bring up the whole point that the password cannot be the username or the user's first or last name (assuming you have these attributes populated in ADUC).

    So my suggestion is to teach them how to introduce some complexity into the beginning of the password.
    Here is an excellent handout for the users:
    LVL 41

    Expert Comment

    Passwords also can't contain the first name, last name, username, or be in the password history. These rules are not enforced when you do a password change.  

    Author Comment

    Well I did a quick check and all problem ones are windows 7 and connect to 2008 box. I have already changed there passwords manually, so I cannot test gpupdate. I am thinking I will have more issues though down the road here. I just helped another user that could not change there password (was actually due to "cannot change password" being check off in ADUC), but he was one Windows 7 and the connected to the 2008 DC and was able to change his fine.

    I wonder if the 6 beginning characters matter? I thought I also remember something about not having any 3 consecutive characters from their name or user name in the pass. Can any one confirm this? Also thanks for guide as well. The users might enjoy it more than calling me.


    Author Comment

    So, had another user with same issue.

    I tried gpupdate and restart, no help.
    Tried the first 6 character matching complexity, nothing.
    There is nothing related to the user name or logon name in the password

    Windows 7 machine. Connected to 2008 box.

    I found a weird loophole though. If I use ADUC to reset password to something of my choosing that meets complexity and leave the box check for them change on first logon, when they enter the password they have been trying it works.

    LVL 41

    Accepted Solution

    You might have a minimum password age in place. Look at

    Author Comment

    That's exactly it.

    Funny, we just now ran across the same exact thing. 2 seconds later the email came in from experts exchange letting me know something was posted. We had it set to 60 days. We changed to 5 for now and will bump back up later to meet the policy.

    Thanks for all your help everyone!

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    Suggested Solutions

    Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
    Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now