Domain password policy is 7 characters, cannot set to less than 10 when changing password on local machine
Tuesday, January 08, 2013 2:35 PM
I am supporting a remote location consisting of 2008R2 DC and 2008R2 servers, Win 7 workstations. The domain policy for passwords requires a minimum of 7 characters, "require password complexity" is turned on. The admin at the remote location is able to use 7-character passwords through AD users and computers. When a user attempts to change their password from a workstation or member server (either when prompted by the OS to change the password or else by Ctrl+Alt+Del -> change password), they are unable to enter a password that is less than 10 characters. The dlls in "Notification Packages" under HKLM\System\CurrentControlSet\Control\LSA are RASSFM and scecli. There is a separate domain at this same location that has the same setup, including same domain password policy, but that domain does not experience this problem. I noticed that RASSFM.dll in the domain that does not have problems is from 2009; it is from 2008 in the domain that has problems. Scecli.dll is from 2010 in the non-issue domain and 2009 in the domain that has problems.
My understanding is RASSFM.dll is used for remote authentication so I don't see how it could be affecting anything when a local user attempts to change their password.
I'm not sure how to go about solving this problem. Since the password can be set to 7 characters through the ADUC snap-in, it seems that that there is a separate password filter in use on the machines, but I don't see it anywhere. Any help is appreciated! Thank you!
Wednesday, January 09, 2013 6:12 AM
If all member machines on domain having issue, it seems like its not particular to single or sets of machines; Further more, you can change password through ADUC on DC. Have you tried running RSOP.msc with administrative account on domain member machine? I have seen this issue with Group Policy conflicts.
MCP, MCTS, MCSE 2003, MCITP 2008, MCSA 2012
Please help and appreciate others by using these features: "Propose As Answer", "Vote As Helpful" and "Mark As Answer"
This posting is provided 'AS IS' with no warranties or guarantees and confers no rights.
Wednesday, January 09, 2013 6:45 AM
Please type following command and check what’s the “minimum password length” has set on your local machine. If local machine and GPO does not match it means your GPO is not deploying properly on your machine.
Cmd - Net Accounts
Note: RDP users cannot change their passwords while accessing any RDP Apps directly. They have to login through “Remote Desktop Connection” and after that they are able to change their password according to GPO password length.
***** If the user machine is in different domain then the policy will not apply on his/her machine.
I hope above is the answer of your question.
If you have any further questions, feel free to write on this blog.
MD Disclaimer: The opinion expressed herein are my own knowledge. Deploy this at your own risk. Whenever you see a helpful reply, just click on “Propose As Answer” / “Marked As Answer” and do "VOTE".
Wednesday, January 09, 2013 1:25 PM
Hello, Pateljy -
thank you for responding. yes I have ran RSOP on a member machine and according to that the password length should be 7 characters. The site is aware that they can change the password through ADUC, but users need to be able to change their passwords from their workstation or a member server and the site prefers to keep a length of 7. I thought at first that maybe an additional password filter was being applied across the domain, but there is nothing in any group policies indicating this. That's why I decided to double-check the NotificationPackages reg key on one of the machines. Any other suggestions are much appreciated. thank you very much for your time.
Wednesday, January 09, 2013 1:28 PM
Hello, Mubasshir -
Thank you very much for your reply. The minimum password length on the machine is set to 7, which is why this is so puzzling. The users are not going in via RDP; they are logging onto the console session. I am beginning to wonder if I am not getting the "whole story" from the site because I can't think of anything else that would cause this type of issue....I will contact the manager again and see if I can get any more information.
thank you again!
- Marked As Answer by Andy QiMicrosoft Contingent Staff, Moderator Monday, January 21, 2013 3:11 AM