Avatar of shoris
shoris

asked on 

"The Password Cannot Be Changed at This Time" Error Message When You Try to Change a User's Password

Earlier in the default domain policy I had complex password enabled and minimum to 1.. now I have changed all that based on this article
http://support.microsoft.com/kb/273004

 i have users still with the issue that they can't change the password because of complex passwords required and more then 6 characters. I have done a gpudate on the machines and still no luck. Any suggestions why its still trying to use the old default domain policy when it has it been modified?
Windows Server 2008Windows Server 2003Active Directory

Avatar of undefined
Last Comment
shoris
Avatar of newmath
newmath
Flag of United States of America image

At the end of that article it mentions that you need to refresh the security policy on the DC - not just the workstations. Did you do that?
Avatar of becraig
becraig
Flag of United States of America image

Have you tried the steps below:

    Run “gpmc.msc” or click “Start -> Administrative Tools -> Group Policy Management”
    Expand Group Policy Management -> Forest: <domain> -> Domains -> <domain>
    Right click Default Domain Policy and click edit.
    Expand Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Password Policy
    Edit your password complexity.

The link you have above shows changes for age but not for complexity.


Also be sure to run gpupdate /force from clients when done.
Avatar of shoris
shoris

ASKER

yes I have disabled password complexity.
Avatar of shoris
shoris

ASKER

In the revised policy i have disabled password complexity..  still issues.
Avatar of shoris
shoris

ASKER

Yes, I have refreshed the policy on the domain controllers and i have even rebooted the two domain controllers which is why i'm a little shocked that its not taking the new policy changes.
Avatar of Philip Elder
Philip Elder
Flag of Canada image

The error message is due to the "Minimum Age" setting. Has that been changed?

Philip
Avatar of shoris
shoris

ASKER

Yes, I changed it to 0...
Avatar of Philip Elder
Philip Elder
Flag of Canada image

Now, the catch is that your systems may have a Group Policy Tattoo. Meaning, they may not let go of the original setting.

Verify in one of the affected machine's local policy if the setting is indeed 0 on that local machine.

Philip
Avatar of shoris
shoris

ASKER

hmmmm thanks Phillip.. How would i verify on the affected machine local policy if it is 0.. same process of the default domain policy settings?
Avatar of shoris
shoris

ASKER

And I'm wondering if that is the case "tatooed".. not letting go of the orginial setting, how do clear it on the machine? I was thinking the same thing but I can't seem to find out how to clear the machine cache??
ASKER CERTIFIED SOLUTION
Avatar of Philip Elder
Philip Elder
Flag of Canada image

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of shoris
shoris

ASKER

Ok.. that's interesting.. I just looked at that machine and even though i did a gpupdate /force and rebooted the machine, it appears that its still taking the orginal one.. How in the world do I clear that on the machine?
Avatar of Philip Elder
Philip Elder
Flag of Canada image

Try logging in with a user that has not logged into the machine before. Is the setting still there?

P.
Avatar of shoris
shoris

ASKER

Ok.. this is weird on one machine another user logged in shows different, and another machine a different user logged in shows same orginal policy.. Weird.
SOLUTION
Avatar of Philip Elder
Philip Elder
Flag of Canada image

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Avatar of shoris
shoris

ASKER

This is extremely strange, on the default domain policy, I have made the modications but when i ran the secpol.msc on the domain controller it has the old settings.. Is it safe to make those changes on the DC for Local Security policies?
Avatar of shoris
shoris

ASKER

also, this was a migrated computer to a new domain so i can see some lingering polcies from the other domain.. so how can i clear out all the policies and them re-applied and strangely about the domain controller policy default domain is set to the orginal.. I will make that change now..
Avatar of shoris
shoris

ASKER

I was able to make the password change on the machine after making the local security policy on the domain controller the same as the default domain policy.

However, when i checked the account policy on the machine, it appears that its still not pulling it from the default domain policy and doing the gpresults, i can't see anywhere the default domain policy apply??? am I missing something here?
Windows Server 2003
Windows Server 2003

Windows Server 2003 was based on Windows XP and was released in four editions: Web, Standard, Enterprise and Datacenter. It also had derivative versions for clusters, storage and Microsoft’s Small Business Server. Important upgrades included integrating Internet Information Services (IIS), improvements to Active Directory (AD) and Group Policy (GP), and the migration to Automated System Recovery (ASR).

129K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews

TRUSTED BY

IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo