none
dcpromo.exe Administrator Password required error

    Question

  • I am running the Active Domain Services Installation Wizard on a brand new Windows 2008 box.  After the initial part completes, and I go on to run the dcpromo.exe wizard to promote the domain, I get the following error:  "The local Administrator account becomes the domain Administrator account when you create a new domain.  The new domain cannot be created because the local Administrator account password does not meet requirements.  Currently, a password is not required for the local Administrator account.  We recommend that you use the net user command-line tool with the /passwordreq:yes option to require a password for the account before you create the new domain; otherwise, a password will not be required for the domain Administrator account." 

    Following the advice in the message, I typed the following at the command prompt:  net user Administrator <ExistingComplexPassword> /passwordreq:yes.  The computer returned a successful completion message.  However, on re-attempting the dcpromo.exe execution, I got the same error message.  I tried uninstalling Active Domain Services, and restarting the computer (strangely, the password I had used previously, and typed at the comand prompt no longer would allow me to log in.  I was only able to log in by going in through a second account (which was a member of the Administrators Group).  I changed the password for the Administrator account, logged out, and back in under "Administrator," re-tried the net user command line, and then re-ran the Active Domain Services wizard.  Same result.  I then tried creating a brand new account, and making it a member of the Administrators Group.  I logged off, and attempted to once again run the wizard.  Same result.  I've searched technet, but none of the other posts on this topic seem helpful (other than the one that indicated that re-installing the server o/s resolved the problem).  It seems to me that there is something funny going on with that user account--is there a way to get "under the hood" to check for problems with it?  I've checked the password complexity requirements, and each password I've attempted to use meets them. 

    I've been fighting this long enough!  Help!
    Tuesday, September 23, 2008 4:02 AM

Answers

  • The password I was using met all of the above requirements.  Following your post, I tried re-setting the password to one that included an "!" and an "*" in addition to lowercase and uppercase alpha and numeric characters.  I then shut the computer down and re-started, and at the command prompt, typed the net user Administrator <password> /passwordreq:yes command.  Following this sequence, I again attempted to run dcpromo, and it worked!  I'm sure that each password I was using met the requirements (since I've changed it, I'll post the one I was using on my first effort--it was "GardenBuyer1".  It has uppercase, lowercase and numeric characters, and a sufficient number of characters, and no duplication of the username.  I'm sure it meets the posted criteria.)  I don't intend to experiment any further, but my guess is that I had never tried the net user command between the Active Domain Services install and the dcpromo wizard.  My recollection is that in each prior case, I had uninstalled ADS, then typed the command and started again to add the ADS role.  If my guess is correct, the key is to type the command after installing ADS, but before running dcpromo

    I'm afraid you don't get credit for solving my problem, but I'm happy that I'm able to move past it.  Now, if I can just set up Active Domain Services, I'll be great....

    Thanks!

    - Will
    Wednesday, September 24, 2008 4:17 AM

All replies

  •  Hi.

    When you run DCPROMO to promote a server to become the first Domain Controller for a new domain in a new forest, you end up with a domain which has the Default Domain Policy enabled.

    One of the settings in the Default Domain Policy is requiring passwords must meet complexity requirements. (Windows Server 2008 has this setting enabled by default as well since Release Candidates)  By default the Domain Administrator's password needs to comply with the Default Domain policy and the password of the local administrator account is used to populate the password field for the Domain Administrator.

    The password for your local account needs to meet the minimum password complexity:

    The password is at least six characters long.

    The password contains characters from three of the following four categories:

    English uppercase characters (from A through Z)
    English lowercase characters (from a through z)
    Base 10 digits (from 0 through 9)
    Non-alphanumeric characters (for example: !, $, #, or %)

    The password does not contain three or more characters from the user’s account name. If the account name is less than three characters long, this check is not performed because the rate at which passwords would be rejected would be too high. When checking against the user’s full name, several characters are treated as delimiters that separate the name into individual tokens: commas, periods, dashes, hyphens, underscores, spaces, number signs (#), and tab characters. Each token that is three or more characters long is searched for in the password, and if it is present, the password change is rejected. For example, the name “Erin M. Hagens” would be split into three tokens: “Erin,” “M,” and “Hagens.” Because the second token is only one character long, it would be ignored. Therefore this user could not have a password that included either “erin” or “hagens” as a substring anywhere in the password. None of these checks are case-sensitive.

    Tuesday, September 23, 2008 10:01 AM
    Moderator
  • The password I was using met all of the above requirements.  Following your post, I tried re-setting the password to one that included an "!" and an "*" in addition to lowercase and uppercase alpha and numeric characters.  I then shut the computer down and re-started, and at the command prompt, typed the net user Administrator <password> /passwordreq:yes command.  Following this sequence, I again attempted to run dcpromo, and it worked!  I'm sure that each password I was using met the requirements (since I've changed it, I'll post the one I was using on my first effort--it was "GardenBuyer1".  It has uppercase, lowercase and numeric characters, and a sufficient number of characters, and no duplication of the username.  I'm sure it meets the posted criteria.)  I don't intend to experiment any further, but my guess is that I had never tried the net user command between the Active Domain Services install and the dcpromo wizard.  My recollection is that in each prior case, I had uninstalled ADS, then typed the command and started again to add the ADS role.  If my guess is correct, the key is to type the command after installing ADS, but before running dcpromo

    I'm afraid you don't get credit for solving my problem, but I'm happy that I'm able to move past it.  Now, if I can just set up Active Domain Services, I'll be great....

    Thanks!

    - Will
    Wednesday, September 24, 2008 4:17 AM
  • Hi,

    Thanks for the info
    since i had the exact same problem and I'm was sure i was using a complex password : 1q2w#E$R5t
    I tried to change and re-change  for tens of time just to realize that this is merely a bug from MS.
    after hours of struggling and then finding your answer, I re-booted to a pre AD binaries ghost i made of the server.
    I run the command line, logged out and logged in the password (this time it did log-in)

    And everything worked, the Dcpromo process went smoothly

    So just to conclude, the line (net user Administrator password /passwordreq:yes )

    Should be implemented even before the AD binaries and the dcpromo command.

    have a great day

    danny

    • Proposed as answer by hagaon Saturday, October 18, 2008 2:06 PM
    • Edited by hagaon Saturday, October 18, 2008 2:10 PM
    Saturday, October 18, 2008 2:06 PM
  • Hi,

    Thanks for the info
    since i had the exact same problem and I'm was sure i was using a complex password : 1q2w#E$R5t
    I tried to change and re-change  for tens of time just to realize that this is merely a bug from MS.
    after hours of struggling and then finding your answer, I re-booted to a pre AD binaries ghost i made of the server.
    I run the command line, logged out and logged in the password (this time it did log-in)

    And everything worked, the Dcpromo process went smoothly

    So just to conclude, the line (net user Administrator password /passwordreq:yes )

    Should be implemented even before the AD binaries and the dcpromo command.

    have a great day

    danny


    Thanks Danny,

    Yoganandhan G Become a 2nd Bill Gates
    • Proposed as answer by Funashi Thursday, April 21, 2011 10:13 AM
    Sunday, April 03, 2011 10:43 PM
  • Run net user administrator <password> /passwordreq:yes before dc promo.exe is run or even before AD DS is Roled. Microsoft need to document this.

     

    Funashi Mwamba

    Thursday, April 21, 2011 10:18 AM
  • Thursday, May 26, 2011 4:35 PM
  • thanks  problem is solved

    Wednesday, April 25, 2012 11:13 AM
  • i have still face the problem im using following command

    net user Administrator 1q2w#E$R5tpasswordreq:yes

    plsss any body help me plssssssss 

    before i use this command i re install server 2008 r2 enterprise then use this command & when i run dcpromo command the same error

    "The local Administrator account becomes the domain Administrator account when you create a new domain.  The new domain cannot be created because the local Administrator account password does not meet requirements.  Currently, a password is not required for the local Administrator account.  We recommend that you use the net user command-line tool with the /passwordreq:yes option to require a password for the account before you create the new domain; otherwise, a password will not be required for the domain Administrator account." 

    plsss help me 

    • Edited by pal003 Saturday, July 28, 2012 7:39 AM
    • Proposed as answer by pal003 Thursday, August 30, 2012 11:49 AM
    Saturday, July 28, 2012 7:34 AM
  • windows server 2008 R2 de  dcpromo yazıp active directory ı kurmaya çalıştığınızda "yeni bir domain ve orman" oluştur dediğinizde size bir uyarı mesajı olarak "administrator şifrenizin kurulumundan sonra domain in administrator şifresi" olduğunu söyleyip şifre vermeniz gerektini söyleyen bir uyarı ile karşılaştığınızda  kendiniz denetim masasından kullanıcı hesaplarından administrator e  güçlü şifre vermenize rağmen (örnek güçlü şifre Sonerzeybek123.) AD hala uyarıyı alıyorsanız 

    başlat ı tıklayın arkasından cmd   yazın ve enter a basın arkasından komut satırına  

    net user Administrator Sonerzeybek123.  /passwordreq:yes

    yazıp enter layın.sonra cmd den çıkın. başlata dcproma yazıp enter layıp ad ı kurmaya çalıştığınızda sorunsuz bir şekilde domain oluşturma ekranına geleceksiniz.

    Not: güçlü şifre demek verdiğiniz şifrenin harf rakam ve özel karakterden oluşması anlamına gelir.

    Thursday, November 15, 2012 11:34 PM
  • Yea it is working smoothly.. thanks for the info.
    Thursday, December 05, 2013 6:00 PM
  • thank's

    Friday, January 24, 2014 6:21 AM
  • thank's a lot

    Friday, April 25, 2014 11:27 AM
  • Thursday, May 22, 2014 4:34 PM
  • Run net user administrator <the new password you want to use> /passwordreq:yes before dc promo.exe is run or even before AD DS is Roled. Microsoft need to document this.
    Friday, August 01, 2014 8:17 PM