[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1473
  • Last Modified:

Password Policies in the Default Domain Policy

I have a situation where users are being prompted to change their password as per the default password policy, but when they attempt to change their password they get the error message "Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain."

My environment is a Windows Server 2008 SP2, with Windows 7 workstations

Here's what I've tried so far:
- verified that workstation's time is synced with the DC that holds the GPO
- verified that I'm able to change the user's password in Active Directory. (the same password that gave the error when attempting to change it from the workstation)
- ran GPO Modelling, which confirmed that the user was receiving the correct GPO
- ran Resultant Set of Policy on the workstation, verified that it was receiving the GPO settings
- made a minor change to the GPO (added a shortcut to user's desktops), gpupdate /force on server and workstation, rebooted workstation and changes applied correctly.
- removed the shortcut that I added (gpupdate /force all around), logged back in to the workstation - no shortcut on desktop (GPO applying correctly)
- created a new user with default permissions and logged in to see if I can change his password : no dice
- logged on to the workstation as domain admin, and was able to change my own password through Ctrl-Alt-Del
- moved user out of his OU, and into the No Policy OU (same as domain admin), no change
- gave the user admin rights, still unable to change password from the workstation
- removed all password policies from the Default Domain GPO (set all password settings to Not Defined) - gpupdate/force reboot - no change
- disabled Default Domain Policy (gpupdate /force, reboot) no change
- re-enabled Default Domain Policy and recreated password policies, forced an update - no difference.
- made the user in question a local admin on their workstation - no difference

I'm stumped! Has anyone come across this, or have any ideas?
0
itgroove
Asked:
itgroove
  • 5
  • 3
  • 2
  • +1
1 Solution
 
AnuroopsunddCommented:
Try password with complexity.... P@ssword!23
0
 
abdulalikhanCommented:
There must be a password history enabled which is not letting you change the password and also the password complexity. Try changing the password as mentioned above.
0
 
abdulalikhanCommented:
I request you to also verify in the user properties through Active Directory Users and Computers that the 'user cannot change password' is checked or unchecked. It should be unchecked.

Also check that what is the minimum password age in the default domain policy. It should be set to '0' to allow user to change the passwords immediately. You can also avoid changing the value and still allow user to change the password by resetting the password through 'Active Directory' and check 'User must change his password at next log on'.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
AnuroopsunddCommented:
Also you can check on client side what is the password policy you are getting.
C:\Windows\System32\gpedit.msc
this will open Local group policy Editor..
then go to
Under Computer Configuration
 -> Windows Settings
-> Security Settings
-> Account Policy

on thr right hand side you can see what is the password policy....
0
 
SandyCommented:
Use Default domain policy because here "Domain" itself defines policy to be implemented on both server and workstations.
0
 
itgrooveAuthor Commented:
Surprisingly, it was the second part of this answer that fixed the problem - I changed the minimum password age to '0', and hey, presto! people are able to change their passwords.

I'm not sure why this works, but I'm happy to have it working again - thanks for all your help!
0
 
abdulalikhanCommented:
Welcome.

Explanation of the solution: It is by design, if the user changes the password then s/he will not be able to change the password till the minimum password age criteria is matched. It will also apply if you reset the password through active directory but dont check that the 'user will change the password at next login'.

The user will only be able to change the password if you reset the password or create an account with the option that user will change his/her password at next logon.

Regards

Ali
0
 
itgrooveAuthor Commented:
I understand that, but that doesn't explain how that was affecting users who had not yet changed their password. I attempted the password change on a new user that I created (as I mentioned in my original post), and was unable to: at that point there was no previous password in place to prevent that from happening. Also, as soon as I changed the password minimum age to '0', users who were unable to change their password at all (regardless of how long it had been since they last changed it) were now able to.

This behavior is what I'd like to know the answer to.
0
 
abdulalikhanCommented:
As i explained that the new user will also be effected if you dont check the option for 'User must change password at next logon'.
0
 
itgrooveAuthor Commented:
Interesting... thanks again for all your help.
0
 
abdulalikhanCommented:
Welcome.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 5
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now