• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1011
  • Last Modified:

can't change password on WIN7 workstation on SBS 2008 domain

One of the users who had a WIN7 workstation on our SBS 2008 domain tried to change his password, but got the message that the password dd not satisfy the complexity criteria. He tried several times. So did I. Nada. The SBS server console tells me the complexity is still the way it used to be: minimum of 8 characters from 3 of 4 of UPPER CASE LETTER, lower case letter, digits, special characters. I have confirmed the passwords we are trying to enter conform to this. I even tried my own password which conformed when I set it.

What could the problem be? This is really going to become a big issue as user passwords start expiring.
0
jmarkfoley
Asked:
jmarkfoley
  • 5
  • 3
1 Solution
 
Cliff GaliherCommented:
The console reports on the group policy it expects to be in place, but if a custom GP was created outside of SBS then the console will be unaware of that.

Fire up the Group Policy Management Console (GPMC) in the Admin tools and use the Group Policy Results Wizard to see which policies are being applied to that user on that machine. You can view the resultant set of policies, see what the complexity is set to, and see which policy it is pulling that setting from. Once you know where that policy got set you can go and remove it or change it as necessary.

-Cliff
0
 
jmarkfoleyAuthor Commented:
cgaliher: thanks for the response. Could you help me drill down a bit more? I used the results wizard as you suggested. I have tabs for Summary and Settings. I believe I've looked through the details on both of those tabs and I can see nothing related to password complexity.
0
 
jmarkfoleyAuthor Commented:
More information. I thought I'd try removing, then reattaching this user's workstation from the domain. Microsoft had done that in the past to resolve GP issues, so I thought it worth a try.

After reconnecting, I was able to change the password! I thought the problem was solved. I called the user in to have him change his pw to what he wanted. He couldn't. I tried again. I couldn't My guess is that I was able to change it before the Group Policies got re-updated on his workstation.

Hopes that helps. Anybody?
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
Rob WilliamsCommented:
Check the "Minimum password age". If set to 2 days for example you cannot change the password again for 2 days. It may be that rejoining the domain was not relavent, you had just waited long enough to try again.

You can get the same message if policy is not defined, as per:
http://support.microsoft.com/kb/273004
0
 
jmarkfoleyAuthor Commented:
Sorry, I thought I closed this one ... Yup, it was the 2-day thing. I had the user go in and try it again after a few days and he did it, no problem. I seem to be ranting on MIcrosoft a lot lately, but for one thing, I don't get the security advantage in not letting a user change his/her password for two days. What if the user simply forgot what he/she changed it do? Wait 2 days or contact the system administrator? Again, what's the point/benefit? Secondly, and even more irritating, what's with the error message about the password not satisfying the complexity criteria? This problem has absolutely nothing to do with complexity criteria and the message has put me on a week-long wild goose chase. Why not a message that says, "password may not be changed for X days ..."? end-of-rant.
0
 
Rob WilliamsCommented:
Glad to hear that worked for you. As for the logic behind it:

If you set the minimum password age to '0' the user can change their password as often as they like.

However, according to Group Policy documentation, if the admin sets or changes a user's password and checks the box "the user must change their password at next logon", it is only enforced if the minimum password age is set to '1' or greater. Therefore best practice states that it should not be set to 0.

The other issue is users like to always use the same password. If you have a policy that forces users to change their password every 'x' days and cannot use the same password for 'Y' times, with minimum age set to '0', the user can repeatedly change their password 'y' times until they can use the same one again. With the default being 24 times, I really can't see a user doing so or even figuring that out, but it is reason #2 for not setting it to 0.

I agree it can be frustrating and some may not agree but there was thought behind the default policy settings. In a non-SBS domain you would manually enable and set the policy settings. SBS has many defaults options preset.
0
 
jmarkfoleyAuthor Commented:
Thanks for the reply. I also think it highly unlikely for a user to cycle through 24 passwords to get back to their "favorite." In fact, I doubt many people even know this magic number. We are fixing a non-problem and creating a problem is the process. In any case, a propererror message would be nice.
0
 
jmarkfoleyAuthor Commented:
Thanks again!
0
 
Rob WilliamsCommented:
>>"We are fixing a non-problem and creating a problem is the process"
Actually the policy needs to be in place for reason #1 (force user to change password), reason #2 (24 passwords) I don't see either.

SBS 2003 prompted you "do you want to enable password security" at some point recommended you review the policies (i.e. defaults) if you said yes. I don't thing 2008 does this, but even that would be a good feature.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now