I have a situation where users are being prompted to change their password as per the default password policy, but when they attempt to change their password they get the error message "Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain."
My environment is a Windows Server 2008 SP2, with Windows 7 workstations
Here's what I've tried so far:
- verified that workstation's time is synced with the DC that holds the GPO
- verified that I'm able to change the user's password in Active Directory. (the same password that gave the error when attempting to change it from the workstation)
- ran GPO Modelling, which confirmed that the user was receiving the correct GPO
- ran Resultant Set of Policy on the workstation, verified that it was receiving the GPO settings
- made a minor change to the GPO (added a shortcut to user's desktops), gpupdate /force on server and workstation, rebooted workstation and changes applied correctly.
- removed the shortcut that I added (gpupdate /force all around), logged back in to the workstation - no shortcut on desktop (GPO applying correctly)
- created a new user with default permissions and logged in to see if I can change his password : no dice
- logged on to the workstation as domain admin, and was able to change my own password through Ctrl-Alt-Del
- moved user out of his OU, and into the No Policy OU (same as domain admin), no change
- gave the user admin rights, still unable to change password from the workstation
- removed all password policies from the Default Domain GPO (set all password settings to Not Defined) - gpupdate/force reboot - no change
- disabled Default Domain Policy (gpupdate /force, reboot) no change
- re-enabled Default Domain Policy and recreated password policies, forced an update - no difference.
- made the user in question a local admin on their workstation - no difference
I'm stumped! Has anyone come across this, or have any ideas?