Solved

User cannot change password on domain. (Server 2008 R2 / Win7x64)

Posted on 2013-07-01
21
1,745 Views
Last Modified: 2013-07-02
Evening All,
I'm having an issue with "password complexity" in a new 2008 R2 domain.  The end user is on Win7x64.

When one of my end users attempts a password change (via Cnt/Alt/Del) they are prompted with the following error:

Password Complexity Error
I tried to follow this as the template.  I basically want to turn off any kind of complexity.

Any help is appreciated.
0
Comment
Question by:irishmic33
21 Comments
 
LVL 35

Expert Comment

by:Joseph Daly
Comment Utility
Can you post a screenshot of your password policy GPO?

A few guesses without seeing that.
1. The password is actually not complex upper, lower, number, special
2. The user is retrying a previous password
3. The password is too new and not able to be changed.

To be honest without seeing your policy its tough to say.
0
 
LVL 2

Author Comment

by:irishmic33
Comment Utility
This is a single dc network at this point.  This is the only policy applying to password complexity as far as I know.

DC Policy
0
 
LVL 4

Expert Comment

by:rajivkumar07
Comment Utility
Error say -

1st - Either user is using the password that he/she used before or it it just too similar.

2nd - password complexity - the password would like something like this -

W3lc0m31@2 < Complexed password.

If you want to remove this complexity (be careful since this is from built in domain policy) -

log into ur domain controller, click start, administrative tools, domain security policy, and on the left, you will see account policies, click on it and then click on password policy - disable password must meet complexity requirements on the right.
0
 
LVL 2

Author Comment

by:irishmic33
Comment Utility
A few guesses without seeing that.
1. The password is actually not complex upper, lower, number, special
2. The user is retrying a previous password
3. The password is too new and not able to be changed.

Hmm... possibly #2.  I'll test in a second.
Hmm... also #3, as we're attempting multiple times.
0
 
LVL 35

Expert Comment

by:Joseph Daly
Comment Utility
The password policy should be set at the default domain policy not the default domain controllers policy also.
0
 
LVL 2

Author Comment

by:irishmic33
Comment Utility
Hmm... possibly #2.  I'll test in a second.
no, even complex "new" passwords bring the same error.
0
 
LVL 18

Expert Comment

by:sarang_tinguria
Comment Utility
You must be having default domain policy ..can you post snap of it...as per above policy defined, users should be able to use any password they want
0
 
LVL 2

Author Comment

by:irishmic33
Comment Utility
Just added the password complexity settings to "Default Domain Policy"...

... gpupdate /force  on host...

rebooting...
0
 
LVL 2

Author Comment

by:irishmic33
Comment Utility
Just added the password complexity settings to "Default Domain Policy"...

... gpupdate /force  on host...

rebooting...

Nope... same result... posting Default Domain Policy in a second.
0
 
LVL 2

Author Comment

by:irishmic33
Comment Utility
Default Domain: (blurry due to image reduction...)
Default Domain Policy
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 35

Accepted Solution

by:
Joseph Daly earned 250 total points
Comment Utility
So here is my reccomendation before we get too far ahead of ourselves.

1. Remove the password policy settings from the default domain controller policy
2. Add the settings to the default domain policy. The password policy should only be set in one place and the default domain policy is where MS reccomends it.
3. Once you have done this make sure the computer and user is in an OU where the policy will apply to them.
4. Restart the affected computer, I would actually reccomend rebooting it twice.
5. Try changing the password again.
0
 
LVL 2

Author Comment

by:irishmic33
Comment Utility
Performed following steps:
1. Removed password policy setting from DC policy.
2. Added password policy setting from Default Policy.
3. Default Domain Policy is listed at root.
4. gpupdate /force was run on DC
5. gpupdate /force was run on workstation
6. workstation shutdown
7. DC rebooted
8. workstation started

...... Same issue.

Default PolicyDC PolicyGPO Tree
0
 
LVL 35

Expert Comment

by:Joseph Daly
Comment Utility
Ok one last thing to try. Try setting minimum length to something above 0 say like 5.

Also run a gpresult to make sure the policy is actually applying

Any errors on event log on client ?
0
 
LVL 2

Author Comment

by:irishmic33
Comment Utility
Minimum password length = 5 characters
(no other changes)

- ran gpupdate /force on DC
- ran gpupdate /force on workstation
- rebooted workstation
- attempted password reset to something complex (5+ characters)

...Same Error...

I do not see any events in the standard (App, Security, System) logs.
0
 
LVL 35

Expert Comment

by:Joseph Daly
Comment Utility
How about gpresult and rsop?
0
 
LVL 2

Author Comment

by:irishmic33
Comment Utility
Default Domain Policy is active and applied on the computer settings via gpresult -r.
0
 
LVL 2

Author Comment

by:irishmic33
Comment Utility
confirmed rsop.msc is showing a listing of:

- 5 characters for minimum length
- Disabled "Password Complexity
- Disabled "Store passwords using reversed"

All defined at "01-Default Domain Policy"
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 250 total points
Comment Utility
Since you have disabled the password complexity policy(in default Domain policy & domain Controller policy)  it seems that  "Minimum password age"  is not set to 0 days which may be preventing the user to change password. check the same ands set it to zero and see how does it work.

similar thread Password Complixity Error:
http://social.technet.microsoft.com/Forums/windowsserver/en-US/43dcbc5f-e7e4-4aff-8d16-fa82a69690bb/password-complixity-error-while-change-password-through-owa
0
 
LVL 2

Author Comment

by:irishmic33
Comment Utility
Interesting, I'm out of the office, but this one seems the most logical.  I'll give it a run in the morning.

http://serverfault.com/questions/301811/users-cant-change-password-trough-owa-for-exchange-2010
0
 
LVL 2

Author Comment

by:irishmic33
Comment Utility
Well, maybe just a fresh set of eyes worked.

I first set 0's on history, age, and length...   but unfortunately it brought back the same error.  So I just started guessing again and now these settings seemed to have cleared up the issue.  It even allows a reset back onto the same password...  

Working Settings
Weird...  but good enough for now.  Onto the next issues...

Thanks!
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
Hi.

Again and again, people run into the same misunderstanding... let me quote:
1. Remove the password policy settings from the default domain controller policy
2. Add the settings to the default domain policy. The password policy should only be set in one place and the default domain policy is where MS reccomends it.
3. Once you have done this make sure the computer and user is in an OU where the policy will apply to them.
4. Restart the affected computer, I would actually reccomend rebooting it twice.
5. Try changing the password again.
1&2) Not necessary. The fact that MS recommends to use the DDP instead of the DDCP is true, but just because that way, not only domain accounts but also local accounts are forced to use complex passwords.
3)not necessary as we are talking about a domain account - the domain account is governed at the DC, not at the client... that's why applying the policy to the client will have no effect at all
Edit ...and to the user? Never ever will computer configuration settings of policies apply to users objects.
4)Restarting has no effect.

@irishmic33:
You need to run rsop.msc on all domain controllers. Check the output to see if the settings got applied there - the client does not matter at all as we are talking about a domain account.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

First some basics on Windows 7 Backup.  It has 2 components one is a file based backup which is stored in .zip files each zip is split at around 200 Megabytes and there is the Image Backup which is as the name implies a total image of the partition …
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial will teach you how to the overview of Microsoft Security Essentials. This is a free anti-virus software that guards your PC against viruses, spyware, worms, and other malicious software. This will be demonstrated using Windows…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now