Unable to change password using Start > Windows Security > Change a password

When I try to change my password using Start >  Windows Security > Change a password, I always get the error "Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain." I get this error no matter how unique and/or complex the password is.

On the other hand, if the Domain Administrator uses Active Directory Users and Computers to set my account to "User must change password at next logon", I can then set it to a new password, including passwords rejected by the Windows Security/Change Password mechanism. Why?

Windows 7 in Active Directory Domain.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Muhammad BurhanManager I.T.Commented:
Open Group Policy Management on Domain Controller and edit Default Domain Policy
Computer Configuration > windows settings > security settings > Account policy > Password Policy
edit 'password must meet complexity requirements' select Disabled
Andrej PirmanCommented:
Muhammad explained where you change those settings on Domain Controller's Group Policy.
Your issue is most probably due to setting in Group Policy, which does not allow PREVIOUS passwords to be re-used, regardless of their complexity (something like "Number of passwords remembered").
If you still want complex password requirements, you can just lower the mentioned setting from default 24 or 48 to something more human, like 2, which would allow you to cycle through 3 different passwords.
...or disable this setting, so you can re-type your existing password once it expires.
Regardless of what has been said before: you should not see that behavior. No matter where you change it, the complexity requirements would be the same, so this is a defect or bug. It is not seen normally, so there's something wrong on your win7 machine.

Do a test, try and change the password the most common way: ctrl-alt-del ->change password
Does that work as expected?
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

In the Active Directory Users and Computers utility, make sure the "User cannot change password" option isn't activated.
MarkAuthor Commented:
Do a test, try and change the password the most common way: ctrl-alt-del ->change password  Does that work as expected?
This brought up the same page that I got with Start > Windows Security, and not surprisingly, I got the same "Unable to update the password ...". The attempted password is defininely, long, complex and never used. I suppose that users have only changed their password when expired or when the Admin (me) sets it to require password change at next login. No one apparently has tried CTL-ALT-DEL for a while.

So, should I be looking at those policies now?

In the Active Directory Users and Computers utility, make sure the "User cannot change password" option isn't activated.
Not checked.

When I have a weird problem I tend to do a lot of tests to find out more about it. That's why I recommend the following: download this tool passwd
And use it to change the password on the command line. What does it say, does it succeed?
MarkAuthor Commented:
Did that. I get the error: "The password is shorter than required".

Here's the password I tried: $123456_abcdef_HIJKLM

doesn't look too short to me.

Note that if I enter the wrong "old" (current) AD password I get the error "The specified network password is not correct", so it does appear to be validating that part correctly. BTW, the current working password is only 8 characters long.
MarkAuthor Commented:
More info ... Per Muhammad Burhan's and Andrej Pirman's suggestion, I checked out the specified Policy. All policy settings were "Not Defined", but examining their "Explain" tabs showed the usual defaults. Nevertheless, I enabled the "Minimum password length Properties" and set the "Password must be at least ..." to 7. I then ran the same test as above using the passwd program. Got the same error, "The password is shorter than required".

Not having much luck here! But, sometimes it takes a while for these policies to actually take effect. I'll try again tomorrow.
passwd might have the logic to tell you there's something wrong, but I doubt that it will be able to tell you what. I just tested here and passwd throws that length error whenever any complexity setting is not met, sorry.

This is really weird stuff. Did you try to change that user's password on another machine? Do that.
MarkAuthor Commented:
Did you try to change that user's password on another machine? Do that.
Well, you're not gonna believe this ... I logged onto another workstation in to domain, and WAS able to change the password!!!! Now, the question is, was I able to change it because I was on a different workstation, or because I explicitly set the min-length policy property and the policy finally "took" by the time I tried this today? Unfortunately, I did not try changing the password on the same/usual workstation before trying on another workstation.

So, I have meanwhile set the min-password-change policy attribute to 0 days and I will try changing the password on the usual workstation tomorrow (after I'm sure the policies have updated). Stay tooned!
MarkAuthor Commented:
Next day ... Yes, I was able to change the password with CTL-ALT-DEL. Again, I picked a definitely never used password.

My conclusion is that the culprit was the "Minimum Password Age" policy setting the whole time. As with your (McKnife's) comment on the error message passwd gives you, The Windows password changing function gives a totally bogus message. In all cases it says,  "The password is shorter than required", regardless of the error. Except, when I forgot to enter the new password I got the message, "There is not credential server available" or something to that effect, which is of course also bogus. Is this a Microsoft security measure? It would have saved me days of messing around if the message had said, "Cannot change password for x days." Sheesh!

Problem is solved, but I'll leave open a bit longer for any parting comments.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Misleading error message are seen quite regularly in windows, nearly as often as non-sensical ones like "an unexpected error has occured"
Your problem description could have included the fact that you already had changed the pw within a short time span ago, couldn't it? Always include all info you have. Well, congrats on finding it. ;-)
MarkAuthor Commented:
Your problem description could have included the fact that you already had changed the pw within a short time span ago
Well, yes, but on the other hand if it had occurred to me to write that in the problem description it probably would have also occurred to me what the problem was! I would change the password using the Admin tools (RSAT/samba-tool), then try to change as the user -- which I could if the Admin settings was "change password at next login". I totally didn't even think about the minimun pw change time until I actually looked at the policy settings per Muhammad Burhan's post. Still, and to repeat, if Microsoft had made the message read, "too soon to change" instead of "password too short" it would have saved us all a lot of time and effort.
Sure, MS and their messages...
Just a note for you: using RSAT, you don't change the password but you reset it. Changing it will always require to know the old password, while resetting does not. So for changing, the rule "min pw age" is applied, while for resetting, it is not, we admins can reset it anytime we like.
MarkAuthor Commented:
I figured out the problem, but thanks to Muhammed for putting me on the right track and to McKnife for the passwd utility and additional testing ideas.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.