Solved

Password Policies in the Default Domain Policy

Posted on 2012-03-30
11
1,447 Views
Last Modified: 2012-04-03
I have a situation where users are being prompted to change their password as per the default password policy, but when they attempt to change their password they get the error message "Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain."

My environment is a Windows Server 2008 SP2, with Windows 7 workstations

Here's what I've tried so far:
- verified that workstation's time is synced with the DC that holds the GPO
- verified that I'm able to change the user's password in Active Directory. (the same password that gave the error when attempting to change it from the workstation)
- ran GPO Modelling, which confirmed that the user was receiving the correct GPO
- ran Resultant Set of Policy on the workstation, verified that it was receiving the GPO settings
- made a minor change to the GPO (added a shortcut to user's desktops), gpupdate /force on server and workstation, rebooted workstation and changes applied correctly.
- removed the shortcut that I added (gpupdate /force all around), logged back in to the workstation - no shortcut on desktop (GPO applying correctly)
- created a new user with default permissions and logged in to see if I can change his password : no dice
- logged on to the workstation as domain admin, and was able to change my own password through Ctrl-Alt-Del
- moved user out of his OU, and into the No Policy OU (same as domain admin), no change
- gave the user admin rights, still unable to change password from the workstation
- removed all password policies from the Default Domain GPO (set all password settings to Not Defined) - gpupdate/force reboot - no change
- disabled Default Domain Policy (gpupdate /force, reboot) no change
- re-enabled Default Domain Policy and recreated password policies, forced an update - no difference.
- made the user in question a local admin on their workstation - no difference

I'm stumped! Has anyone come across this, or have any ideas?
0
Comment
Question by:itgroove
  • 5
  • 3
  • 2
  • +1
11 Comments
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37790020
Try password with complexity.... P@ssword!23
0
 
LVL 7

Expert Comment

by:abdulalikhan
ID: 37790054
There must be a password history enabled which is not letting you change the password and also the password complexity. Try changing the password as mentioned above.
0
 
LVL 7

Accepted Solution

by:
abdulalikhan earned 500 total points
ID: 37790072
I request you to also verify in the user properties through Active Directory Users and Computers that the 'user cannot change password' is checked or unchecked. It should be unchecked.

Also check that what is the minimum password age in the default domain policy. It should be set to '0' to allow user to change the passwords immediately. You can also avoid changing the value and still allow user to change the password by resetting the password through 'Active Directory' and check 'User must change his password at next log on'.
0
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37790105
Also you can check on client side what is the password policy you are getting.
C:\Windows\System32\gpedit.msc
this will open Local group policy Editor..
then go to
Under Computer Configuration
 -> Windows Settings
-> Security Settings
-> Account Policy

on thr right hand side you can see what is the password policy....
0
 
LVL 13

Expert Comment

by:Sandy
ID: 37793207
Use Default domain policy because here "Domain" itself defines policy to be implemented on both server and workstations.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 13

Author Closing Comment

by:itgroove
ID: 37797271
Surprisingly, it was the second part of this answer that fixed the problem - I changed the minimum password age to '0', and hey, presto! people are able to change their passwords.

I'm not sure why this works, but I'm happy to have it working again - thanks for all your help!
0
 
LVL 7

Expert Comment

by:abdulalikhan
ID: 37797492
Welcome.

Explanation of the solution: It is by design, if the user changes the password then s/he will not be able to change the password till the minimum password age criteria is matched. It will also apply if you reset the password through active directory but dont check that the 'user will change the password at next login'.

The user will only be able to change the password if you reset the password or create an account with the option that user will change his/her password at next logon.

Regards

Ali
0
 
LVL 13

Author Comment

by:itgroove
ID: 37797588
I understand that, but that doesn't explain how that was affecting users who had not yet changed their password. I attempted the password change on a new user that I created (as I mentioned in my original post), and was unable to: at that point there was no previous password in place to prevent that from happening. Also, as soon as I changed the password minimum age to '0', users who were unable to change their password at all (regardless of how long it had been since they last changed it) were now able to.

This behavior is what I'd like to know the answer to.
0
 
LVL 7

Expert Comment

by:abdulalikhan
ID: 37797652
As i explained that the new user will also be effected if you dont check the option for 'User must change password at next logon'.
0
 
LVL 13

Author Comment

by:itgroove
ID: 37797902
Interesting... thanks again for all your help.
0
 
LVL 7

Expert Comment

by:abdulalikhan
ID: 37800124
Welcome.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

If you migrate a Terminal Server licenses server inside the 2008 server family, you can takte advantage of the build-in migration tool. If you like to migrate an older 2003 Server (and the installed client CALs) to a 2008 R2 server for example, you …
I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now