Password not accepted even though it is meeting the complexity requirements

Posted on 2011-10-07
Medium Priority
Last Modified: 2012-05-12
We finally got the approval and implemented a new password policy overnight and today are dealing with many frustrated users because they are lazy and would rather type "summer11" or "password" or even just hit the damn enter key and choose nothing at all.

The issue I am seeing popping up with some users is this: The Password will not be accepted even though it is meeting the complexity requirements of 8 characters or more and any 3 of the 4 upper, lower, num, symbols. They are changing with ctrl atl del.. I know they passwords are good, because I have even tried for them. It just gives the error that it does not meet the complexity. But, I can go into ADUC and manually reset the password to this same password they are trying and it works fine.

Not all users are experiencing this. I also want to say that I think all the machines having the issue are windows 7, but I did not answer all the calls.

Does any one have a clue what might be causing this?

We have 3 DC's, 2 of them 2003 and one is 2008

Question by:VitalSolutions

Expert Comment

ID: 36931610
My question is which DC are Windows 7 Machines connected to.
I hope they are connecting to Windows 2008 server.

Also, try issuing gpupdate /force on troublemaking machines and see if it helps..

Expert Comment

by:Felicia King
ID: 36931681
I can't seem to find an article on this, but I ran into the same problem in Active Directory some time ago. What I found at the time is that some part of the complexity was required within the first 6 characters of the password. I believe that this is due to the desire to protect against some of the weaknesses in NTLM authentiction. See article:

So summer11 won't work, but Summer2011 will work. packers1# won't work, but Packers1# will work.
Unfortunately, Microsoft's article http://technet.microsoft.com/en-us/library/cc875814.aspx doesn't speak to any of that, but it does bring up the whole point that the password cannot be the username or the user's first or last name (assuming you have these attributes populated in ADUC).

So my suggestion is to teach them how to introduce some complexity into the beginning of the password.
Here is an excellent handout for the users:  
LVL 42

Expert Comment

ID: 36931693
Passwords also can't contain the first name, last name, username, or be in the password history. These rules are not enforced when you do a password change.  
Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.


Author Comment

ID: 36931828
Well I did a quick check and all problem ones are windows 7 and connect to 2008 box. I have already changed there passwords manually, so I cannot test gpupdate. I am thinking I will have more issues though down the road here. I just helped another user that could not change there password (was actually due to "cannot change password" being check off in ADUC), but he was one Windows 7 and the connected to the 2008 DC and was able to change his fine.

I wonder if the 6 beginning characters matter? I thought I also remember something about not having any 3 consecutive characters from their name or user name in the pass. Can any one confirm this? Also thanks for guide as well. The users might enjoy it more than calling me.


Author Comment

ID: 36932130
So, had another user with same issue.

I tried gpupdate and restart, no help.
Tried the first 6 character matching complexity, nothing.
There is nothing related to the user name or logon name in the password

Windows 7 machine. Connected to 2008 box.

I found a weird loophole though. If I use ADUC to reset password to something of my choosing that meets complexity and leave the box check for them change on first logon, when they enter the password they have been trying it works.

LVL 42

Accepted Solution

kevinhsieh earned 500 total points
ID: 36932956
You might have a minimum password age in place. Look at

Author Comment

ID: 36933022
That's exactly it.

Funny, we just now ran across the same exact thing. 2 seconds later the email came in from experts exchange letting me know something was posted. We had it set to 60 days. We changed to 5 for now and will bump back up later to meet the policy.

Thanks for all your help everyone!

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Let's recap what we learned from yesterday's Skyport Systems webinar.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question