[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1982
  • Last Modified:

User cannot change password on domain. (Server 2008 R2 / Win7x64)

Evening All,
I'm having an issue with "password complexity" in a new 2008 R2 domain.  The end user is on Win7x64.

When one of my end users attempts a password change (via Cnt/Alt/Del) they are prompted with the following error:

Password Complexity Error
I tried to follow this as the template.  I basically want to turn off any kind of complexity.

Any help is appreciated.
0
irishmic33
Asked:
irishmic33
2 Solutions
 
Joseph DalyCommented:
Can you post a screenshot of your password policy GPO?

A few guesses without seeing that.
1. The password is actually not complex upper, lower, number, special
2. The user is retrying a previous password
3. The password is too new and not able to be changed.

To be honest without seeing your policy its tough to say.
0
 
irishmic33Author Commented:
This is a single dc network at this point.  This is the only policy applying to password complexity as far as I know.

DC Policy
0
 
rajivkumar07Commented:
Error say -

1st - Either user is using the password that he/she used before or it it just too similar.

2nd - password complexity - the password would like something like this -

W3lc0m31@2 < Complexed password.

If you want to remove this complexity (be careful since this is from built in domain policy) -

log into ur domain controller, click start, administrative tools, domain security policy, and on the left, you will see account policies, click on it and then click on password policy - disable password must meet complexity requirements on the right.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
irishmic33Author Commented:
A few guesses without seeing that.
1. The password is actually not complex upper, lower, number, special
2. The user is retrying a previous password
3. The password is too new and not able to be changed.

Hmm... possibly #2.  I'll test in a second.
Hmm... also #3, as we're attempting multiple times.
0
 
Joseph DalyCommented:
The password policy should be set at the default domain policy not the default domain controllers policy also.
0
 
irishmic33Author Commented:
Hmm... possibly #2.  I'll test in a second.
no, even complex "new" passwords bring the same error.
0
 
Sarang TinguriaSr EngineerCommented:
You must be having default domain policy ..can you post snap of it...as per above policy defined, users should be able to use any password they want
0
 
irishmic33Author Commented:
Just added the password complexity settings to "Default Domain Policy"...

... gpupdate /force  on host...

rebooting...
0
 
irishmic33Author Commented:
Just added the password complexity settings to "Default Domain Policy"...

... gpupdate /force  on host...

rebooting...

Nope... same result... posting Default Domain Policy in a second.
0
 
irishmic33Author Commented:
Default Domain: (blurry due to image reduction...)
Default Domain Policy
0
 
Joseph DalyCommented:
So here is my reccomendation before we get too far ahead of ourselves.

1. Remove the password policy settings from the default domain controller policy
2. Add the settings to the default domain policy. The password policy should only be set in one place and the default domain policy is where MS reccomends it.
3. Once you have done this make sure the computer and user is in an OU where the policy will apply to them.
4. Restart the affected computer, I would actually reccomend rebooting it twice.
5. Try changing the password again.
0
 
irishmic33Author Commented:
Performed following steps:
1. Removed password policy setting from DC policy.
2. Added password policy setting from Default Policy.
3. Default Domain Policy is listed at root.
4. gpupdate /force was run on DC
5. gpupdate /force was run on workstation
6. workstation shutdown
7. DC rebooted
8. workstation started

...... Same issue.

Default PolicyDC PolicyGPO Tree
0
 
Joseph DalyCommented:
Ok one last thing to try. Try setting minimum length to something above 0 say like 5.

Also run a gpresult to make sure the policy is actually applying

Any errors on event log on client ?
0
 
irishmic33Author Commented:
Minimum password length = 5 characters
(no other changes)

- ran gpupdate /force on DC
- ran gpupdate /force on workstation
- rebooted workstation
- attempted password reset to something complex (5+ characters)

...Same Error...

I do not see any events in the standard (App, Security, System) logs.
0
 
Joseph DalyCommented:
How about gpresult and rsop?
0
 
irishmic33Author Commented:
Default Domain Policy is active and applied on the computer settings via gpresult -r.
0
 
irishmic33Author Commented:
confirmed rsop.msc is showing a listing of:

- 5 characters for minimum length
- Disabled "Password Complexity
- Disabled "Store passwords using reversed"

All defined at "01-Default Domain Policy"
0
 
SandeshdubeySenior Server EngineerCommented:
Since you have disabled the password complexity policy(in default Domain policy & domain Controller policy)  it seems that  "Minimum password age"  is not set to 0 days which may be preventing the user to change password. check the same ands set it to zero and see how does it work.

similar thread Password Complixity Error:
http://social.technet.microsoft.com/Forums/windowsserver/en-US/43dcbc5f-e7e4-4aff-8d16-fa82a69690bb/password-complixity-error-while-change-password-through-owa
0
 
irishmic33Author Commented:
Interesting, I'm out of the office, but this one seems the most logical.  I'll give it a run in the morning.

http://serverfault.com/questions/301811/users-cant-change-password-trough-owa-for-exchange-2010
0
 
irishmic33Author Commented:
Well, maybe just a fresh set of eyes worked.

I first set 0's on history, age, and length...   but unfortunately it brought back the same error.  So I just started guessing again and now these settings seemed to have cleared up the issue.  It even allows a reset back onto the same password...  

Working Settings
Weird...  but good enough for now.  Onto the next issues...

Thanks!
0
 
McKnifeCommented:
Hi.

Again and again, people run into the same misunderstanding... let me quote:
1. Remove the password policy settings from the default domain controller policy
2. Add the settings to the default domain policy. The password policy should only be set in one place and the default domain policy is where MS reccomends it.
3. Once you have done this make sure the computer and user is in an OU where the policy will apply to them.
4. Restart the affected computer, I would actually reccomend rebooting it twice.
5. Try changing the password again.
1&2) Not necessary. The fact that MS recommends to use the DDP instead of the DDCP is true, but just because that way, not only domain accounts but also local accounts are forced to use complex passwords.
3)not necessary as we are talking about a domain account - the domain account is governed at the DC, not at the client... that's why applying the policy to the client will have no effect at all
Edit ...and to the user? Never ever will computer configuration settings of policies apply to users objects.
4)Restarting has no effect.

@irishmic33:
You need to run rsop.msc on all domain controllers. Check the output to see if the settings got applied there - the client does not matter at all as we are talking about a domain account.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now