Solved

users can't change password, doesn't meet complexity - but does

Posted on 2013-01-28
10
14,666 Views
Last Modified: 2013-01-29
Greetings,

users get an error stating passwords don't meet complexity when manually changing  through ctrl+alt+delete, but they do. I can change in AD on server, but not at workstation with same password. Very aggravating. Multiple emails and calls from users regarding this so need some help. Searched online but found nothing pertinent yet.

Win 2003 SP2 PDC; XP Pro and Win 7 Pro desktops / laptops

THANKS!
0
Comment
Question by:rpliner
10 Comments
 
LVL 7

Expert Comment

by:avcontrol
ID: 38827061
Win XP have issue update AD policy unless WinXP station log off/login/restart............while Win 7 does not.
Not sure if this is the issue, but yes there should be no issue as you described.
0
 
LVL 7

Expert Comment

by:mmicha
ID: 38827081
You might want to take a peak at your Default Domain Policy.  Check your account details and make sure that "Password must meet complexity requirements" is not enabled.

This link: http://technet.microsoft.com/en-us/library/cc875814.aspx   ...  has details on where to look to find it.  It may also be present in another GPO, but a lot of the time it is in the default domain policy.
0
 
LVL 9

Expert Comment

by:TunerML
ID: 38827139
I also believe by default users can't reuse passwords even if the meet complexity requirements as per the default domain policy settings, this may also be contributing to the issue.
0
 
LVL 7

Author Comment

by:rpliner
ID: 38827159
Thanks for the quick replies. I'll have the user restart then login and try. I'll also make certain it's not a reused password. We want complexity enabled, and has been for a while now, but just started not allowing manually changing through ctrl alt delete.

Thx again
0
 
LVL 16

Expert Comment

by:PaciB
ID: 38827374
Hi,

Don't forget that password complexity have many constraint that we usually don't remember of....

As an example:
The password can not contain the lastname
The password can not contain the firstname
The password can not contain the loginname

So if my login is "johndoe" the password @%$johndoe123@§§!! will be refused, even if it looks a bit complex !!

Also, if you just have changed the password of the user and did not check the box "the user must change the password of next logon" and if you have a minimum password age policy your user won't be able to change its password whatever the password is... That's in fact normal because the password can not be changed before the minimum password age...

So, that was just to say that there are many reason for the password change to fail with this message saying the password doesn't comply with the complexity requirements...

Until now I never have seen a case that can not be explained by the policy settings. You just have to find the policy that prohibit the change.

Have a good day.
0
 
LVL 7

Author Comment

by:rpliner
ID: 38827423
thanks PaciB. the password used for testing was 12345Qwerty! and was never used before. I checked AD and the user account does not have user cannot change password ticked. our policy, under Default Domain Security Settings, is as such:

PW history = 2 days

max PW age = 90

min PW age = 2

min PW length = 6

complexity = enabled

rvs encryption = disabled

Thanks
0
 
LVL 16

Accepted Solution

by:
PaciB earned 350 total points
ID: 38827450
Ok,

I see that the min PW age is 2 days.
So if you already changed the user password more recently than 2 days the user can not rechanged it and will receive the message saying the password does not meet complexity requirements.
This is true also if an admin reset the password for the user ! The user won't be able to rechange it before 2 days.
If you wan't the user to change the password immediately you have to check the box "the user must change password at next logon". Try it and see if you can set the password you want.
0
 
LVL 5

Assisted Solution

by:msallam
msallam earned 150 total points
ID: 38827452
The password minimum age is 2 days. You cannot change it before 2 days.
It seems this is the issue.
0
 
LVL 7

Author Comment

by:rpliner
ID: 38827493
I will confirm he did not change it within the last two days, try again, and then report back.

thanks
0
 
LVL 7

Author Closing Comment

by:rpliner
ID: 38831277
thanks. worked today.
0

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Last article we focus in how to VMware: How to create and use VMs TAGs – Part 1 so before follow this article and perform the next tasks, you should read the first article how to create the TAG before using them in Veeam Backup Jobs.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
In this video tutorial I show you the main steps to install and configure  a VMware ESXi6.0 server. The video has my comments as text on the screen and you can pause anytime when needed. Hope this will be helpful. Verify that your hardware and BIO…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now