We help IT Professionals succeed at work.

After dcpromo, Server 2008 R2 Administrator password needs to be changed.

Medium Priority
Last Modified: 2012-08-14

I have an interesting issue.  My product is a turn-key server (HP DL G6) with a Server 2008 R2 platform image, along with instructions to setup\create a new domain.  We have found that servers setup from our in-house manufacturing require the Administrator password to be changed after the dcpromo is run.  So, before the dcpromo is run, the Administrator account does not ask for a password change, you can reboot, logout\login, etc…  but once the dcpromo is run, and restarted, the system wants you to change the Administrator password.  The password is super-complex…there are no issues I can tell with the default domain policy, which is at default at that point.  If you add a ‘1’ to the end of the existing password it takes it.  Now…if I reimage the same hardware, same sysprep, following the same instructions with the exact same image DVDs that manufacturing has…it behaves normal and doesn’t request a password change.  One hint…the Administrator password is the same password we enter for the Directory Services Restore Mode Administrator password.        

So, I think we have narrowed the scope down to what our manufacturing group is doing.  They took the DVDs and put them on an image server that they use to apply the image through the network.  I can’t figure what they could be doing, or in their process, to require an Administrator password change after a dcpromo.  I don’t know of any type of BIOS issue that would behave this way.  Keep in mind this is a mature product that has been tested well, only after the manufacturing systems have arrived (3 for 3) has this happened.  
Any help or insight is appreciated.
Watch Question

Mike ThomasConsultant
Top Expert 2010
I have just seen this behaviour on a contract I am working on implementing a new AD environment, the new DC's were created using WDS images.

Not sure why it did it either and the WDS guy has not been in since but I will speak to him when he is back.

Just to add I had to change password once per domain, so this would only happened on the first DC in a new domain..child domain was the same, just the 1 change on the first DC in the child domain.

IT Solutions Engineer
I would compare the Default Domain Controller Policy settings after the reboot to identify what the settings are that are impacting your user accounts after the DCPROMO.

Typically the settings are 8 characters, enforce complexity enabled, and the remember history is very high, such as 42 past passwords or something like that.


MojoTech and whoajack, thank you for your comments.

MojoTech - I am suspicious of the image also.  The image software being used is Ghost 11.  This server\domain is new and this server will be the only DC in the environment.

whoajack – I also looked in that direction.  The default domain and default DC policies are Microsoft defaults.  There are no issues when the image is loaded from DVDs, so I don’t think policies issues are responsible.