Solved

User cannot change password on domain. (Server 2008 R2 / Win7x64)

Posted on 2013-07-01
21
1,794 Views
Last Modified: 2013-07-02
Evening All,
I'm having an issue with "password complexity" in a new 2008 R2 domain.  The end user is on Win7x64.

When one of my end users attempts a password change (via Cnt/Alt/Del) they are prompted with the following error:

Password Complexity Error
I tried to follow this as the template.  I basically want to turn off any kind of complexity.

Any help is appreciated.
0
Comment
Question by:irishmic33
21 Comments
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 39291358
Can you post a screenshot of your password policy GPO?

A few guesses without seeing that.
1. The password is actually not complex upper, lower, number, special
2. The user is retrying a previous password
3. The password is too new and not able to be changed.

To be honest without seeing your policy its tough to say.
0
 
LVL 2

Author Comment

by:irishmic33
ID: 39291384
This is a single dc network at this point.  This is the only policy applying to password complexity as far as I know.

DC Policy
0
 
LVL 4

Expert Comment

by:rajivkumar07
ID: 39291387
Error say -

1st - Either user is using the password that he/she used before or it it just too similar.

2nd - password complexity - the password would like something like this -

W3lc0m31@2 < Complexed password.

If you want to remove this complexity (be careful since this is from built in domain policy) -

log into ur domain controller, click start, administrative tools, domain security policy, and on the left, you will see account policies, click on it and then click on password policy - disable password must meet complexity requirements on the right.
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 2

Author Comment

by:irishmic33
ID: 39291391
A few guesses without seeing that.
1. The password is actually not complex upper, lower, number, special
2. The user is retrying a previous password
3. The password is too new and not able to be changed.

Hmm... possibly #2.  I'll test in a second.
Hmm... also #3, as we're attempting multiple times.
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 39291398
The password policy should be set at the default domain policy not the default domain controllers policy also.
0
 
LVL 2

Author Comment

by:irishmic33
ID: 39291405
Hmm... possibly #2.  I'll test in a second.
no, even complex "new" passwords bring the same error.
0
 
LVL 18

Expert Comment

by:Sarang Tinguria
ID: 39291411
You must be having default domain policy ..can you post snap of it...as per above policy defined, users should be able to use any password they want
0
 
LVL 2

Author Comment

by:irishmic33
ID: 39291418
Just added the password complexity settings to "Default Domain Policy"...

... gpupdate /force  on host...

rebooting...
0
 
LVL 2

Author Comment

by:irishmic33
ID: 39291421
Just added the password complexity settings to "Default Domain Policy"...

... gpupdate /force  on host...

rebooting...

Nope... same result... posting Default Domain Policy in a second.
0
 
LVL 2

Author Comment

by:irishmic33
ID: 39291436
Default Domain: (blurry due to image reduction...)
Default Domain Policy
0
 
LVL 35

Accepted Solution

by:
Joseph Daly earned 250 total points
ID: 39291483
So here is my reccomendation before we get too far ahead of ourselves.

1. Remove the password policy settings from the default domain controller policy
2. Add the settings to the default domain policy. The password policy should only be set in one place and the default domain policy is where MS reccomends it.
3. Once you have done this make sure the computer and user is in an OU where the policy will apply to them.
4. Restart the affected computer, I would actually reccomend rebooting it twice.
5. Try changing the password again.
0
 
LVL 2

Author Comment

by:irishmic33
ID: 39291551
Performed following steps:
1. Removed password policy setting from DC policy.
2. Added password policy setting from Default Policy.
3. Default Domain Policy is listed at root.
4. gpupdate /force was run on DC
5. gpupdate /force was run on workstation
6. workstation shutdown
7. DC rebooted
8. workstation started

...... Same issue.

Default PolicyDC PolicyGPO Tree
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 39291569
Ok one last thing to try. Try setting minimum length to something above 0 say like 5.

Also run a gpresult to make sure the policy is actually applying

Any errors on event log on client ?
0
 
LVL 2

Author Comment

by:irishmic33
ID: 39291623
Minimum password length = 5 characters
(no other changes)

- ran gpupdate /force on DC
- ran gpupdate /force on workstation
- rebooted workstation
- attempted password reset to something complex (5+ characters)

...Same Error...

I do not see any events in the standard (App, Security, System) logs.
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 39291629
How about gpresult and rsop?
0
 
LVL 2

Author Comment

by:irishmic33
ID: 39291638
Default Domain Policy is active and applied on the computer settings via gpresult -r.
0
 
LVL 2

Author Comment

by:irishmic33
ID: 39291651
confirmed rsop.msc is showing a listing of:

- 5 characters for minimum length
- Disabled "Password Complexity
- Disabled "Store passwords using reversed"

All defined at "01-Default Domain Policy"
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 250 total points
ID: 39291660
Since you have disabled the password complexity policy(in default Domain policy & domain Controller policy)  it seems that  "Minimum password age"  is not set to 0 days which may be preventing the user to change password. check the same ands set it to zero and see how does it work.

similar thread Password Complixity Error:
http://social.technet.microsoft.com/Forums/windowsserver/en-US/43dcbc5f-e7e4-4aff-8d16-fa82a69690bb/password-complixity-error-while-change-password-through-owa
0
 
LVL 2

Author Comment

by:irishmic33
ID: 39291880
Interesting, I'm out of the office, but this one seems the most logical.  I'll give it a run in the morning.

http://serverfault.com/questions/301811/users-cant-change-password-trough-owa-for-exchange-2010
0
 
LVL 2

Author Comment

by:irishmic33
ID: 39292840
Well, maybe just a fresh set of eyes worked.

I first set 0's on history, age, and length...   but unfortunately it brought back the same error.  So I just started guessing again and now these settings seemed to have cleared up the issue.  It even allows a reset back onto the same password...  

Working Settings
Weird...  but good enough for now.  Onto the next issues...

Thanks!
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39292843
Hi.

Again and again, people run into the same misunderstanding... let me quote:
1. Remove the password policy settings from the default domain controller policy
2. Add the settings to the default domain policy. The password policy should only be set in one place and the default domain policy is where MS reccomends it.
3. Once you have done this make sure the computer and user is in an OU where the policy will apply to them.
4. Restart the affected computer, I would actually reccomend rebooting it twice.
5. Try changing the password again.
1&2) Not necessary. The fact that MS recommends to use the DDP instead of the DDCP is true, but just because that way, not only domain accounts but also local accounts are forced to use complex passwords.
3)not necessary as we are talking about a domain account - the domain account is governed at the DC, not at the client... that's why applying the policy to the client will have no effect at all
Edit ...and to the user? Never ever will computer configuration settings of policies apply to users objects.
4)Restarting has no effect.

@irishmic33:
You need to run rsop.msc on all domain controllers. Check the output to see if the settings got applied there - the client does not matter at all as we are talking about a domain account.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A procedure for exporting installed hotfix details of remote computers using powershell
When you try to extract and to view the contents of a Microsoft Update Standalone Package (MSU) for Windows Vista, you cannot extract the files from the MSU. Here we are going to explain how to extract those hotfix details without using any third pa…
This Micro Tutorial will teach you how to the overview of Microsoft Security Essentials. This is a free anti-virus software that guards your PC against viruses, spyware, worms, and other malicious software. This will be demonstrated using Windows…
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question