"The Password Cannot Be Changed at This Time" Error Message When You Try to Change a User's Password

Earlier in the default domain policy I had complex password enabled and minimum to 1.. now I have changed all that based on this article
http://support.microsoft.com/kb/273004

 i have users still with the issue that they can't change the password because of complex passwords required and more then 6 characters. I have done a gpudate on the machines and still no luck. Any suggestions why its still trying to use the old default domain policy when it has it been modified?
shorisAsked:
Who is Participating?
 
Philip ElderConnect With a Mentor Technical Architect - HA/Compute/StorageCommented:
On Windows Vista and above:
Click Start --> type secpol.msc --> CTRL+ENTER --> UAC --> Approve/Consent.

Local Security Policy
That's where it is.

P.
0
 
newmathCommented:
At the end of that article it mentions that you need to refresh the security policy on the DC - not just the workstations. Did you do that?
0
 
becraigCommented:
Have you tried the steps below:

    Run “gpmc.msc” or click “Start -> Administrative Tools -> Group Policy Management”
    Expand Group Policy Management -> Forest: <domain> -> Domains -> <domain>
    Right click Default Domain Policy and click edit.
    Expand Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Password Policy
    Edit your password complexity.

The link you have above shows changes for age but not for complexity.


Also be sure to run gpupdate /force from clients when done.
0
Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

 
shorisAuthor Commented:
yes I have disabled password complexity.
0
 
shorisAuthor Commented:
In the revised policy i have disabled password complexity..  still issues.
0
 
shorisAuthor Commented:
Yes, I have refreshed the policy on the domain controllers and i have even rebooted the two domain controllers which is why i'm a little shocked that its not taking the new policy changes.
0
 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
The error message is due to the "Minimum Age" setting. Has that been changed?

Philip
0
 
shorisAuthor Commented:
Yes, I changed it to 0...
0
 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Now, the catch is that your systems may have a Group Policy Tattoo. Meaning, they may not let go of the original setting.

Verify in one of the affected machine's local policy if the setting is indeed 0 on that local machine.

Philip
0
 
shorisAuthor Commented:
hmmmm thanks Phillip.. How would i verify on the affected machine local policy if it is 0.. same process of the default domain policy settings?
0
 
shorisAuthor Commented:
And I'm wondering if that is the case "tatooed".. not letting go of the orginial setting, how do clear it on the machine? I was thinking the same thing but I can't seem to find out how to clear the machine cache??
0
 
shorisAuthor Commented:
Ok.. that's interesting.. I just looked at that machine and even though i did a gpupdate /force and rebooted the machine, it appears that its still taking the orginal one.. How in the world do I clear that on the machine?
0
 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Try logging in with a user that has not logged into the machine before. Is the setting still there?

P.
0
 
shorisAuthor Commented:
Ok.. this is weird on one machine another user logged in shows different, and another machine a different user logged in shows same orginal policy.. Weird.
0
 
Philip ElderConnect With a Mentor Technical Architect - HA/Compute/StorageCommented:
Windows 7?

Elevate a command prompt and:

gpresult /h c:\UserNameGPResults.html [Enter]

Copy the result out to a management folder and open in IE. Allow if prompted by IE Security.

You should see where the GPOs are coming from.

P.
0
 
shorisAuthor Commented:
This is extremely strange, on the default domain policy, I have made the modications but when i ran the secpol.msc on the domain controller it has the old settings.. Is it safe to make those changes on the DC for Local Security policies?
0
 
shorisAuthor Commented:
also, this was a migrated computer to a new domain so i can see some lingering polcies from the other domain.. so how can i clear out all the policies and them re-applied and strangely about the domain controller policy default domain is set to the orginal.. I will make that change now..
0
 
shorisAuthor Commented:
I was able to make the password change on the machine after making the local security policy on the domain controller the same as the default domain policy.

However, when i checked the account policy on the machine, it appears that its still not pulling it from the default domain policy and doing the gpresults, i can't see anywhere the default domain policy apply??? am I missing something here?
0
All Courses

From novice to tech pro — start learning today.