Password Policies in the Default Domain Policy
I have a situation where users are being prompted to change their password as per the default password policy, but when they attempt to change their password they get the error message "Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain."
My environment is a Windows Server 2008 SP2, with Windows 7 workstations
Here's what I've tried so far:
- verified that workstation's time is synced with the DC that holds the GPO
- verified that I'm able to change the user's password in Active Directory. (the same password that gave the error when attempting to change it from the workstation)
- ran GPO Modelling, which confirmed that the user was receiving the correct GPO
- ran Resultant Set of Policy on the workstation, verified that it was receiving the GPO settings
- made a minor change to the GPO (added a shortcut to user's desktops), gpupdate /force on server and workstation, rebooted workstation and changes applied correctly.
- removed the shortcut that I added (gpupdate /force all around), logged back in to the workstation - no shortcut on desktop (GPO applying correctly)
- created a new user with default permissions and logged in to see if I can change his password : no dice
- logged on to the workstation as domain admin, and was able to change my own password through Ctrl-Alt-Del
- moved user out of his OU, and into the No Policy OU (same as domain admin), no change
- gave the user admin rights, still unable to change password from the workstation
- removed all password policies from the Default Domain GPO (set all password settings to Not Defined) - gpupdate/force reboot - no change
- disabled Default Domain Policy (gpupdate /force, reboot) no change
- re-enabled Default Domain Policy and recreated password policies, forced an update - no difference.
- made the user in question a local admin on their workstation - no difference
I'm stumped! Has anyone come across this, or have any ideas?
My environment is a Windows Server 2008 SP2, with Windows 7 workstations
Here's what I've tried so far:
- verified that workstation's time is synced with the DC that holds the GPO
- verified that I'm able to change the user's password in Active Directory. (the same password that gave the error when attempting to change it from the workstation)
- ran GPO Modelling, which confirmed that the user was receiving the correct GPO
- ran Resultant Set of Policy on the workstation, verified that it was receiving the GPO settings
- made a minor change to the GPO (added a shortcut to user's desktops), gpupdate /force on server and workstation, rebooted workstation and changes applied correctly.
- removed the shortcut that I added (gpupdate /force all around), logged back in to the workstation - no shortcut on desktop (GPO applying correctly)
- created a new user with default permissions and logged in to see if I can change his password : no dice
- logged on to the workstation as domain admin, and was able to change my own password through Ctrl-Alt-Del
- moved user out of his OU, and into the No Policy OU (same as domain admin), no change
- gave the user admin rights, still unable to change password from the workstation
- removed all password policies from the Default Domain GPO (set all password settings to Not Defined) - gpupdate/force reboot - no change
- disabled Default Domain Policy (gpupdate /force, reboot) no change
- re-enabled Default Domain Policy and recreated password policies, forced an update - no difference.
- made the user in question a local admin on their workstation - no difference
I'm stumped! Has anyone come across this, or have any ideas?
Anuroopsundd
Try password with complexity.... P@ssword!23
There must be a password history enabled which is not letting you change the password and also the password complexity. Try changing the password as mentioned above.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Also you can check on client side what is the password policy you are getting.
C:\Windows\System32\gpedit
this will open Local group policy Editor..
then go to
Under Computer Configuration
-> Windows Settings
-> Security Settings
-> Account Policy
on thr right hand side you can see what is the password policy....
C:\Windows\System32\gpedit
this will open Local group policy Editor..
then go to
Under Computer Configuration
-> Windows Settings
-> Security Settings
-> Account Policy
on thr right hand side you can see what is the password policy....
Use Default domain policy because here "Domain" itself defines policy to be implemented on both server and workstations.
ASKER
Surprisingly, it was the second part of this answer that fixed the problem - I changed the minimum password age to '0', and hey, presto! people are able to change their passwords.
I'm not sure why this works, but I'm happy to have it working again - thanks for all your help!
I'm not sure why this works, but I'm happy to have it working again - thanks for all your help!
Welcome.
Explanation of the solution: It is by design, if the user changes the password then s/he will not be able to change the password till the minimum password age criteria is matched. It will also apply if you reset the password through active directory but dont check that the 'user will change the password at next login'.
The user will only be able to change the password if you reset the password or create an account with the option that user will change his/her password at next logon.
Regards
Ali
Explanation of the solution: It is by design, if the user changes the password then s/he will not be able to change the password till the minimum password age criteria is matched. It will also apply if you reset the password through active directory but dont check that the 'user will change the password at next login'.
The user will only be able to change the password if you reset the password or create an account with the option that user will change his/her password at next logon.
Regards
Ali
ASKER
I understand that, but that doesn't explain how that was affecting users who had not yet changed their password. I attempted the password change on a new user that I created (as I mentioned in my original post), and was unable to: at that point there was no previous password in place to prevent that from happening. Also, as soon as I changed the password minimum age to '0', users who were unable to change their password at all (regardless of how long it had been since they last changed it) were now able to.
This behavior is what I'd like to know the answer to.
This behavior is what I'd like to know the answer to.
As i explained that the new user will also be effected if you dont check the option for 'User must change password at next logon'.
ASKER
Interesting... thanks again for all your help.
Welcome.