Windows domain - "forget" a single user's password history

My password policy on the domain enforces password complexity, minimum/maximum length, minimum/maximum age, and also password history.

Every once in a while, I have a user who forgets their password and I reset it for them to something temporary. But when this happens, they can't set it back to the original password they were using because of the password history.

Is there a way to tell Windows to clear a single domain user's password history?
LVL 31
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
This cannot be done. Only thing you can do is create a PSO (fine grained password policy) on a specific OU where the user account lives. From there is gives you the flexability to create other password policies.

Catch is you need to be at a minimum 2008 Forest/Domain functional level.

See the link below for details on setting this up..



Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Mike RoeCommented:
You cannot do this for one user unless you use third party software.

Here is a link to do it
ThinkPaperIT ConsultantCommented:
Spec01 is correct. You cannot do this for 2003 as you can only specify ONE password policy (at default domain level). It is possible to set separate password policies if you have at least 2008.

Why are you allowing the user to reset password back to the same password anyways?

I believe what you COULD do is open Active Directory (under your admin) and click "reset password" for that user's account and have them change the password via ActiveDirectory (versus have them changing it via upon logon). This should override the password history requirements. This of course, would require the user to be physically be accessible.
SandeshdubeySenior Server EngineerCommented:
You can have ONLY ONE password and account lockout policy in ANY 2003 AD Domain!Windows Server 2008 introduces multiple password and account lockout policiesthrough PSOs when the DFL = at least w2k8
In Windows Server 2003 Active Directory domains, you could apply only one password policy, which is specified in the domain'sDefault Domain Policy, to all users in the domain.
Windows Server 2008 has Fine-Grained Password Policies which provide organizations with a way to define different password policies for different sets of users in a domain. Here is a Step-by-Step Guide:
Will SzymkowskiSenior Solution ArchitectCommented:
@ Sandeshdubey: Why repeat what i said in my first post?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.