Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

"The Password Cannot Be Changed at This Time" Error Message When You Try to Change a User's Password

Posted on 2012-12-27
18
Medium Priority
?
614 Views
Last Modified: 2012-12-27
Earlier in the default domain policy I had complex password enabled and minimum to 1.. now I have changed all that based on this article
http://support.microsoft.com/kb/273004

 i have users still with the issue that they can't change the password because of complex passwords required and more then 6 characters. I have done a gpudate on the machines and still no luck. Any suggestions why its still trying to use the old default domain policy when it has it been modified?
0
Comment
Question by:shoris
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
18 Comments
 
LVL 9

Expert Comment

by:newmath
ID: 38724921
At the end of that article it mentions that you need to refresh the security policy on the DC - not just the workstations. Did you do that?
0
 
LVL 29

Expert Comment

by:becraig
ID: 38724925
Have you tried the steps below:

    Run “gpmc.msc” or click “Start -> Administrative Tools -> Group Policy Management”
    Expand Group Policy Management -> Forest: <domain> -> Domains -> <domain>
    Right click Default Domain Policy and click edit.
    Expand Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Password Policy
    Edit your password complexity.

The link you have above shows changes for age but not for complexity.


Also be sure to run gpupdate /force from clients when done.
0
 

Author Comment

by:shoris
ID: 38724959
yes I have disabled password complexity.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:shoris
ID: 38724962
In the revised policy i have disabled password complexity..  still issues.
0
 

Author Comment

by:shoris
ID: 38724976
Yes, I have refreshed the policy on the domain controllers and i have even rebooted the two domain controllers which is why i'm a little shocked that its not taking the new policy changes.
0
 
LVL 39

Expert Comment

by:Philip Elder
ID: 38725001
The error message is due to the "Minimum Age" setting. Has that been changed?

Philip
0
 

Author Comment

by:shoris
ID: 38725034
Yes, I changed it to 0...
0
 
LVL 39

Expert Comment

by:Philip Elder
ID: 38725082
Now, the catch is that your systems may have a Group Policy Tattoo. Meaning, they may not let go of the original setting.

Verify in one of the affected machine's local policy if the setting is indeed 0 on that local machine.

Philip
0
 

Author Comment

by:shoris
ID: 38725133
hmmmm thanks Phillip.. How would i verify on the affected machine local policy if it is 0.. same process of the default domain policy settings?
0
 

Author Comment

by:shoris
ID: 38725138
And I'm wondering if that is the case "tatooed".. not letting go of the orginial setting, how do clear it on the machine? I was thinking the same thing but I can't seem to find out how to clear the machine cache??
0
 
LVL 39

Accepted Solution

by:
Philip Elder earned 2000 total points
ID: 38725193
On Windows Vista and above:
Click Start --> type secpol.msc --> CTRL+ENTER --> UAC --> Approve/Consent.

Local Security Policy
That's where it is.

P.
0
 

Author Comment

by:shoris
ID: 38725225
Ok.. that's interesting.. I just looked at that machine and even though i did a gpupdate /force and rebooted the machine, it appears that its still taking the orginal one.. How in the world do I clear that on the machine?
0
 
LVL 39

Expert Comment

by:Philip Elder
ID: 38725244
Try logging in with a user that has not logged into the machine before. Is the setting still there?

P.
0
 

Author Comment

by:shoris
ID: 38725318
Ok.. this is weird on one machine another user logged in shows different, and another machine a different user logged in shows same orginal policy.. Weird.
0
 
LVL 39

Assisted Solution

by:Philip Elder
Philip Elder earned 2000 total points
ID: 38725376
Windows 7?

Elevate a command prompt and:

gpresult /h c:\UserNameGPResults.html [Enter]

Copy the result out to a management folder and open in IE. Allow if prompted by IE Security.

You should see where the GPOs are coming from.

P.
0
 

Author Comment

by:shoris
ID: 38725526
This is extremely strange, on the default domain policy, I have made the modications but when i ran the secpol.msc on the domain controller it has the old settings.. Is it safe to make those changes on the DC for Local Security policies?
0
 

Author Comment

by:shoris
ID: 38725554
also, this was a migrated computer to a new domain so i can see some lingering polcies from the other domain.. so how can i clear out all the policies and them re-applied and strangely about the domain controller policy default domain is set to the orginal.. I will make that change now..
0
 

Author Comment

by:shoris
ID: 38725575
I was able to make the password change on the machine after making the local security policy on the domain controller the same as the default domain policy.

However, when i checked the account policy on the machine, it appears that its still not pulling it from the default domain policy and doing the gpresults, i can't see anywhere the default domain policy apply??? am I missing something here?
0

Featured Post

Tech or Treat! - Giveaway

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question