Users Cannot Change Password

This is a brand new domain, I just set it up on a brand new server.  The computers were previously in a Workgroup, peer to peer environment.  All the computers have been added to the domain without issue but nobody can change their password.  I have read through several possible solutions, there are no additional group policies, they are working off the default that has the minimum password age to be 1 day but it's now far past a day that they've been working within these accounts and they still cannot change their passwords.  They get a message that they are failing to meet the requirements and it lists out password length, complexity, repeating old passwords, etc.  I have tried passwords that I know fit the criteria but it doesn't work.  I created a test account and tried to set it to need it's password changed at first logon.  It prompted and let me change it, then it said that the login method was not allowed.  I was on the server because that's the system I have remote access to.  I don't want to end up locking the users out of their accounts if I check the change password box within their accounts.  Thoughts or ideas?
OTS_TechAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jeremy WeisingerSenior Network Consultant / EngineerCommented:
Can you post the password policy settings?
OTS_TechAuthor Commented:
Yes, see attached...
Capture.JPG
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
The test user error is probably because it didn't have rights on the server.

Can you give an example of a password that you think should work and doesn't? NOTE!!! If you post that information you can never use it or anything like it again! So if you don't want to post that info I understand.

A few things to check would be:
- Make sure "User cannot change password" is unchecked in the user properties
- Make sure there is no part of the user's name in the password they are trying to set
- Make sure the password is long enough
- Make sure the password has all the necessary character types.

For testing, you could use Password1
That meets all the complexity requirements (but is a terrible password and should be changed immediately)

Note that as the administrator, you can test out the password complexity from the server. And you can also override the minimum age requirement if you sent the password from the server in Active Directory Users and Computers.
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

OTS_TechAuthor Commented:
Jeremy,

My passwords are always something off the wall, but I'm sure it doesn't contain an actual word, is at least 8 characters, has both an upper and lower case letter, and a special character.  I might use something like: Eos@Wt4m

It should be accepted.  They told me the passwords they were trying and they also should be accepted.  We need them to be able to change their own passwords ultimately.

Thank you.
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
That does look like it meets all the requirements.

1. Can you run gpresult /h %userprofile%\Desktop\gpresult.htm on the domain controller and verify the password policy that is being applied?
2. Can you verify that the users are logging on with domain accounts and not local accounts?
OTS_TechAuthor Commented:
Hi Jeremy,

I ran that command and it did return the same information, stating the Winning GPO is the Default Domain Policy throughout the Account/Password Policy section.  I've created no other policies.

I'm sure they are logged into the domain because I personally tried it at a workstation that I logged the user in myself.  I had created the account previously but the user hadn't logged in yet so I logged them in to get them logged in properly then tried to change the password.  

When I had read up on this I was sure it was going to be a minimum age issue based on what I found and then I found that the minimum age is 1 day.  Is there any possibility that something isn't talking properly within the domain?  I don't know what to check for that, for example if for some reason AD isn't communicating properly with the Group Policy so the result is this.

Thank you,
Beth
Ajit SinghCommented:
Just for testing please create a new Test OU on the server without Group Policy and put Windows 7 computers in this new OU. And check whether the computers are affected by Domain policy or not.

There must be only one password policy applied, and it must be applied at the domain level. If you have a GPO with Policy settings linked to an OU, the policy is valid, but it will not apply to the user objects stored in that OU.  Password Policies are stored within the Computer Configuration of a GPO.  Therefore, a password policy would be applied to computer objects.  If you link it to an OU, the local accounts defined on the computers within the OU will be affected.

Now with AD 2008, you can also create Fine Grained Password Policies which supplement the domain password policy and you are able to target users and groups.

How to Implementing a Password Policy
http://www.itgeared.com/articles/1013-how-to-implement-active-directory/

How to Troubleshooting Password Policy Issues
http://www.itgeared.com/articles/1014-how-to-troubleshoot-active-directory/

How to force all users to change their Active Directory password at next logon
http://expert-advice.org/active-directory/force-users-change-active-directory-password-next-logon/

Check few more suggestions here: https://serverfault.com/questions/826530/user-cant-change-password-due-to-complexity

Hope this helps!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ajit SinghCommented:
Please post back if you have any query.
OTS_TechAuthor Commented:
In the end, I set their Group Policies as they needed to be set.  I then went to each profile and forced them to change their password at their next logon.  This resolved the issue.  I'm not sure if the new group policies resolved the issue or just forcing them to change their passwords cleared whatever issue was holding them back.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.