?
Solved

can't change password on WIN7 workstation on SBS 2008 domain

Posted on 2011-10-26
9
Medium Priority
?
1,001 Views
Last Modified: 2012-05-12
One of the users who had a WIN7 workstation on our SBS 2008 domain tried to change his password, but got the message that the password dd not satisfy the complexity criteria. He tried several times. So did I. Nada. The SBS server console tells me the complexity is still the way it used to be: minimum of 8 characters from 3 of 4 of UPPER CASE LETTER, lower case letter, digits, special characters. I have confirmed the passwords we are trying to enter conform to this. I even tried my own password which conformed when I set it.

What could the problem be? This is really going to become a big issue as user passwords start expiring.
0
Comment
Question by:jmarkfoley
  • 5
  • 3
9 Comments
 
LVL 60

Expert Comment

by:Cliff Galiher
ID: 37034524
The console reports on the group policy it expects to be in place, but if a custom GP was created outside of SBS then the console will be unaware of that.

Fire up the Group Policy Management Console (GPMC) in the Admin tools and use the Group Policy Results Wizard to see which policies are being applied to that user on that machine. You can view the resultant set of policies, see what the complexity is set to, and see which policy it is pulling that setting from. Once you know where that policy got set you can go and remove it or change it as necessary.

-Cliff
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 37037921
cgaliher: thanks for the response. Could you help me drill down a bit more? I used the results wizard as you suggested. I have tabs for Summary and Settings. I believe I've looked through the details on both of those tabs and I can see nothing related to password complexity.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 37072570
More information. I thought I'd try removing, then reattaching this user's workstation from the domain. Microsoft had done that in the past to resolve GP issues, so I thought it worth a try.

After reconnecting, I was able to change the password! I thought the problem was solved. I called the user in to have him change his pw to what he wanted. He couldn't. I tried again. I couldn't My guess is that I was able to change it before the Group Policies got re-updated on his workstation.

Hopes that helps. Anybody?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 78

Accepted Solution

by:
Rob Williams earned 2000 total points
ID: 37072663
Check the "Minimum password age". If set to 2 days for example you cannot change the password again for 2 days. It may be that rejoining the domain was not relavent, you had just waited long enough to try again.

You can get the same message if policy is not defined, as per:
http://support.microsoft.com/kb/273004
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 37129227
Sorry, I thought I closed this one ... Yup, it was the 2-day thing. I had the user go in and try it again after a few days and he did it, no problem. I seem to be ranting on MIcrosoft a lot lately, but for one thing, I don't get the security advantage in not letting a user change his/her password for two days. What if the user simply forgot what he/she changed it do? Wait 2 days or contact the system administrator? Again, what's the point/benefit? Secondly, and even more irritating, what's with the error message about the password not satisfying the complexity criteria? This problem has absolutely nothing to do with complexity criteria and the message has put me on a week-long wild goose chase. Why not a message that says, "password may not be changed for X days ..."? end-of-rant.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 37132736
Glad to hear that worked for you. As for the logic behind it:

If you set the minimum password age to '0' the user can change their password as often as they like.

However, according to Group Policy documentation, if the admin sets or changes a user's password and checks the box "the user must change their password at next logon", it is only enforced if the minimum password age is set to '1' or greater. Therefore best practice states that it should not be set to 0.

The other issue is users like to always use the same password. If you have a policy that forces users to change their password every 'x' days and cannot use the same password for 'Y' times, with minimum age set to '0', the user can repeatedly change their password 'y' times until they can use the same one again. With the default being 24 times, I really can't see a user doing so or even figuring that out, but it is reason #2 for not setting it to 0.

I agree it can be frustrating and some may not agree but there was thought behind the default policy settings. In a non-SBS domain you would manually enable and set the policy settings. SBS has many defaults options preset.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 37133421
Thanks for the reply. I also think it highly unlikely for a user to cycle through 24 passwords to get back to their "favorite." In fact, I doubt many people even know this magic number. We are fixing a non-problem and creating a problem is the process. In any case, a propererror message would be nice.
0
 
LVL 1

Author Closing Comment

by:jmarkfoley
ID: 37133434
Thanks again!
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 37133461
>>"We are fixing a non-problem and creating a problem is the process"
Actually the policy needs to be in place for reason #1 (force user to change password), reason #2 (24 passwords) I don't see either.

SBS 2003 prompted you "do you want to enable password security" at some point recommended you review the policies (i.e. defaults) if you said yes. I don't thing 2008 does this, but even that would be a good feature.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This guide is intended for migrating Windows 2003 Standard with Exchange 2003 to Windows Small Business Server 2008. You will need the following: Exchange Best Practice Analyzer: http://www.microsoft.com/downloads/details.aspx?FamilyID=DBAB201F-…
You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question