Link to home
Start Free TrialLog in
Avatar of Thomas NZ
Thomas NZFlag for New Zealand

asked on

Unable to reset user passwords to longer than 16 Characters on 2016 Domain Controller

Hello Experts. I have encountered an odd issue with one of our Client sites.

Site information:
Azure AD connect is being used to sync accounts. Password writeback is enabled.
Windows Server 2016 Standard is in use
Shown Below is the password complexity settings in use at site. There is just 1 GPO that defines these settings and it is the Default Domain Policy.

Azure AD connect was recently reinstalled and updated to the latest version:

This issue can be seen by right clicking on any user account and selecting reset password within Active Directory. This issue is not a result of minimum password age being 1 instead of 0.

Example. Trying to reset any user password to Turning45Forks$@1 or Counting45Spoons#$ fails. However right click reset password to: Counting45 works without any issue. Further testing revealed that I was unable to set any password longer than 16 characters. 

I have checked on 2 other clients sites with similar setup. (ADSync and password complexity enabled) - I had no issues with setting passwords over 16 characters. Scratching my head a bit on this one, so coming here to ask the experts. Any assistance, greatly appreciated. Thanks in advance.
User generated image

Avatar of Jackie Man
Jackie Man
Flag of Hong Kong image

Have you updated your Azure AD Connect?

16 character password limit is from the old Azure AD Password Protection.
Avatar of Thomas NZ


Yes, I did recently reinstall and update Microsoft Azure AD connect. The latest version has been installed:
What was interesting and frustrating is that while completing the reinstallation of Azure AD connect (The reinstall was completed because password hash sync was failing to work) During the installation - The installation Wizard for Azure AD connect was unable to automatically create an ADSync service account that met password complexity requirements. I had to manually configure the ADSync service account. 
Avatar of Jackie Man
Jackie Man
Flag of Hong Kong image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thank you. I think you may well be right on this. My concern is that I will encounter the same issue that I experienced last time after uninstalling / reinstalled Azure AD connect.

Error received was: Unable to install the Synchronization Service. Azure AD Connect is not able to create a password which satisfies the current password policy. We recommend you perform a custom installation and specify your own ADSYnc service account.

This is why I completed a custom install with an ADSync account specified. Any suggestions if I receive this again? 
This issue was resolved by making adjustments on the default domain policy to adjust password rules.
I set the 1 to a 0.