Password Policies in the Default Domain Policy

I have a situation where users are being prompted to change their password as per the default password policy, but when they attempt to change their password they get the error message "Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain."

My environment is a Windows Server 2008 SP2, with Windows 7 workstations

Here's what I've tried so far:
- verified that workstation's time is synced with the DC that holds the GPO
- verified that I'm able to change the user's password in Active Directory. (the same password that gave the error when attempting to change it from the workstation)
- ran GPO Modelling, which confirmed that the user was receiving the correct GPO
- ran Resultant Set of Policy on the workstation, verified that it was receiving the GPO settings
- made a minor change to the GPO (added a shortcut to user's desktops), gpupdate /force on server and workstation, rebooted workstation and changes applied correctly.
- removed the shortcut that I added (gpupdate /force all around), logged back in to the workstation - no shortcut on desktop (GPO applying correctly)
- created a new user with default permissions and logged in to see if I can change his password : no dice
- logged on to the workstation as domain admin, and was able to change my own password through Ctrl-Alt-Del
- moved user out of his OU, and into the No Policy OU (same as domain admin), no change
- gave the user admin rights, still unable to change password from the workstation
- removed all password policies from the Default Domain GPO (set all password settings to Not Defined) - gpupdate/force reboot - no change
- disabled Default Domain Policy (gpupdate /force, reboot) no change
- re-enabled Default Domain Policy and recreated password policies, forced an update - no difference.
- made the user in question a local admin on their workstation - no difference

I'm stumped! Has anyone come across this, or have any ideas?
LVL 13
itgrooveAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

AnuroopsunddCommented:
Try password with complexity.... P@ssword!23
0
abdulalikhanCommented:
There must be a password history enabled which is not letting you change the password and also the password complexity. Try changing the password as mentioned above.
0
abdulalikhanCommented:
I request you to also verify in the user properties through Active Directory Users and Computers that the 'user cannot change password' is checked or unchecked. It should be unchecked.

Also check that what is the minimum password age in the default domain policy. It should be set to '0' to allow user to change the passwords immediately. You can also avoid changing the value and still allow user to change the password by resetting the password through 'Active Directory' and check 'User must change his password at next log on'.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

AnuroopsunddCommented:
Also you can check on client side what is the password policy you are getting.
C:\Windows\System32\gpedit.msc
this will open Local group policy Editor..
then go to
Under Computer Configuration
 -> Windows Settings
-> Security Settings
-> Account Policy

on thr right hand side you can see what is the password policy....
0
SandyCommented:
Use Default domain policy because here "Domain" itself defines policy to be implemented on both server and workstations.
0
itgrooveAuthor Commented:
Surprisingly, it was the second part of this answer that fixed the problem - I changed the minimum password age to '0', and hey, presto! people are able to change their passwords.

I'm not sure why this works, but I'm happy to have it working again - thanks for all your help!
0
abdulalikhanCommented:
Welcome.

Explanation of the solution: It is by design, if the user changes the password then s/he will not be able to change the password till the minimum password age criteria is matched. It will also apply if you reset the password through active directory but dont check that the 'user will change the password at next login'.

The user will only be able to change the password if you reset the password or create an account with the option that user will change his/her password at next logon.

Regards

Ali
0
itgrooveAuthor Commented:
I understand that, but that doesn't explain how that was affecting users who had not yet changed their password. I attempted the password change on a new user that I created (as I mentioned in my original post), and was unable to: at that point there was no previous password in place to prevent that from happening. Also, as soon as I changed the password minimum age to '0', users who were unable to change their password at all (regardless of how long it had been since they last changed it) were now able to.

This behavior is what I'd like to know the answer to.
0
abdulalikhanCommented:
As i explained that the new user will also be effected if you dont check the option for 'User must change password at next logon'.
0
itgrooveAuthor Commented:
Interesting... thanks again for all your help.
0
abdulalikhanCommented:
Welcome.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.