We help IT Professionals succeed at work.

Users Cannot Change Password

OTS_Tech asked
This is a brand new domain, I just set it up on a brand new server.  The computers were previously in a Workgroup, peer to peer environment.  All the computers have been added to the domain without issue but nobody can change their password.  I have read through several possible solutions, there are no additional group policies, they are working off the default that has the minimum password age to be 1 day but it's now far past a day that they've been working within these accounts and they still cannot change their passwords.  They get a message that they are failing to meet the requirements and it lists out password length, complexity, repeating old passwords, etc.  I have tried passwords that I know fit the criteria but it doesn't work.  I created a test account and tried to set it to need it's password changed at first logon.  It prompted and let me change it, then it said that the login method was not allowed.  I was on the server because that's the system I have remote access to.  I don't want to end up locking the users out of their accounts if I check the change password box within their accounts.  Thoughts or ideas?
Watch Question

Jeremy WeisingerSenior Network Consultant / Engineer

Can you post the password policy settings?


Yes, see attached...
Jeremy WeisingerSenior Network Consultant / Engineer
The test user error is probably because it didn't have rights on the server.

Can you give an example of a password that you think should work and doesn't? NOTE!!! If you post that information you can never use it or anything like it again! So if you don't want to post that info I understand.

A few things to check would be:
- Make sure "User cannot change password" is unchecked in the user properties
- Make sure there is no part of the user's name in the password they are trying to set
- Make sure the password is long enough
- Make sure the password has all the necessary character types.

For testing, you could use Password1
That meets all the complexity requirements (but is a terrible password and should be changed immediately)

Note that as the administrator, you can test out the password complexity from the server. And you can also override the minimum age requirement if you sent the password from the server in Active Directory Users and Computers.



My passwords are always something off the wall, but I'm sure it doesn't contain an actual word, is at least 8 characters, has both an upper and lower case letter, and a special character.  I might use something like: Eos@Wt4m

It should be accepted.  They told me the passwords they were trying and they also should be accepted.  We need them to be able to change their own passwords ultimately.

Thank you.
Jeremy WeisingerSenior Network Consultant / Engineer
That does look like it meets all the requirements.

1. Can you run gpresult /h %userprofile%\Desktop\gpresult.htm on the domain controller and verify the password policy that is being applied?
2. Can you verify that the users are logging on with domain accounts and not local accounts?


Hi Jeremy,

I ran that command and it did return the same information, stating the Winning GPO is the Default Domain Policy throughout the Account/Password Policy section.  I've created no other policies.

I'm sure they are logged into the domain because I personally tried it at a workstation that I logged the user in myself.  I had created the account previously but the user hadn't logged in yet so I logged them in to get them logged in properly then tried to change the password.  

When I had read up on this I was sure it was going to be a minimum age issue based on what I found and then I found that the minimum age is 1 day.  Is there any possibility that something isn't talking properly within the domain?  I don't know what to check for that, for example if for some reason AD isn't communicating properly with the Group Policy so the result is this.

Thank you,
Tech Lead
Just for testing please create a new Test OU on the server without Group Policy and put Windows 7 computers in this new OU. And check whether the computers are affected by Domain policy or not.

There must be only one password policy applied, and it must be applied at the domain level. If you have a GPO with Policy settings linked to an OU, the policy is valid, but it will not apply to the user objects stored in that OU.  Password Policies are stored within the Computer Configuration of a GPO.  Therefore, a password policy would be applied to computer objects.  If you link it to an OU, the local accounts defined on the computers within the OU will be affected.

Now with AD 2008, you can also create Fine Grained Password Policies which supplement the domain password policy and you are able to target users and groups.

How to Implementing a Password Policy

How to Troubleshooting Password Policy Issues

How to force all users to change their Active Directory password at next logon

Check few more suggestions here: https://serverfault.com/questions/826530/user-cant-change-password-due-to-complexity

Hope this helps!
E ATech Lead

Please post back if you have any query.


In the end, I set their Group Policies as they needed to be set.  I then went to each profile and forced them to change their password at their next logon.  This resolved the issue.  I'm not sure if the new group policies resolved the issue or just forcing them to change their passwords cleared whatever issue was holding them back.