Password Policy Issue
I have 2 users who all of a sudden can't change their passwords. They get the message that the password they are attempting to use does not meet complexity. Issue one, we have complexity turned off with our domain policy....and two, I have made up passwords that far surpass the complexity requirements and they still get the message. We've tried on different computers with no luck. I can change their password myself with no issues in AD.
Has anyone seen anything like this before?
Thanks in advance for any suggestions.
Have you got age restrictions on the password?
Anything common between the two, that isn't common for others?
The Domain Policy Age Restriction is 45 days. I have looked at these two and see nothing of any difference between them and all other users. Two different locations, two different OUs...heck, one is a computer teacher and the other a shop teacher!
The only common scenario is both gave their username and passwords to another teacher to use....then wanted to change the passwords to "new" passwords when the teachers were finished.
Have they tried changing it on another machine? Run RSOP.msc and have a look at how the policy is being applied to their teacher computers.
Yes, we have tried other machines...with no luck. All looked "ok" when running gpresult but I will take another look.
You do not mention what age restriction you have enabled.
Someone correct me if Iím wrong;
If the minimum password set to 45 days the user cannot change their password within 45 days of its last change.
Many of our teachersí passwords expired over the summer and they are forced to change them when they come back. If this is your case then the teacher recently changed their password and cannot change it until the 45 days are up.
However I would think that after an admin changed it and set must change password the user should be able to set their own, unless you have password history turned on.
I will have to look up the tool tomorrow but there is a great dll you can register to give and extra info tab in AD with password last set, expiry date, last bad log on etc. Of course you can see all these easily with the attribute editor now. Nevertheless it is good info to look at when troubleshooting something like this.
Finally we had a teacher that could not remember their password, so we set it to
You could set it to
and set not allowed to change password.
Thanks for the continued responses.
I mentioned the max above but currently I have things set as below:
Enforce password history: 2 remembered
Max age: 45 days
Min age: 1 day
Minimum length: 5 characters
Complexity and Encryption disabled
The way I understand, and please correct me if I am wrong, that the 45 day setting meant that a password was good until 45 days expire...then it had to be changed. Not that it couldn't be changed before 45 days. With the minimum age being 1 day, it should be able to be changed the next day. I was thinking more on the lines of Group Policy not being applied correctly.....