none
Password Policy does not apply in user PCs

    Question

  • Dear  all,

    I did not setup the group policy in my domain controller. But when I press "Ctrl + Alt + Del" and change my password, the system shows me "Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain". I've tried to disable the Password complexity in domain controller but the problem still persist. Can anyone helps me in this matter?



    • Edited by SzeYin Monday, November 23, 2015 8:47 AM
    Monday, November 23, 2015 8:40 AM

Answers

  • I mean disable the specific policy setting of "Password must meet complexity requirements" in the Default Domain Policy Object, not the GPO itself.
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    • Marked as answer by SzeYin Wednesday, December 09, 2015 6:44 AM
    Tuesday, December 01, 2015 3:17 AM
    Moderator

All replies

  • Test resulting policy on client computer. Seems like there is no change of policy and default domain policy applies.

    Apply any change of GPO you are doing, some GPO needs logoff/logon and some restart and some will need gpupdate /force

    M.

    Monday, November 23, 2015 10:31 AM
  • Test resulting policy on client computer. Seems like there is no change of policy and default domain policy applies.

    Apply any change of GPO you are doing, some GPO needs logoff/logon and some restart and some will need gpupdate /force

    M.

    The policy for password complexity only need gpupdate /force, isn't it?

    I have tried in few user PCs but the result is same.

    Is there any other possibility which will cause this problem?

    Monday, November 23, 2015 7:41 PM
  • The important password policy settings, are those which are applied to your DC, because it is the DC which enforces domain password policy, it is not the client computer which enforces domain password policy.

    Although it is common practice to set domain password policy within the DDP, it *can* be done in other ways (so you must check for all policies applied to your DC's).

    Are there any other domain policy objects being applied *to* your DC's ?

    At the client machine, you can use gpresult /h somefile.html
    This will output the RSoP into somefile.html, open that file with a browser to examine the complete policy set.


    Don [doesn't work for MSFT, and they're probably glad about that ;]


    • Edited by DonPick Monday, November 23, 2015 8:42 PM
    Monday, November 23, 2015 8:40 PM
  • Hi SzeYin,

    Most likely the issue you are experiencing is that you cannot change the password because you have already changed your password today and the Minimum Password Age is set to 1. That is, you cannot change your password more than once a day.

    Check other GPO's linked to the root of your domain for these password policies.

    Good Luck!

    Shane

    Monday, November 23, 2015 8:44 PM
  • The important password policy settings, are those which are applied to your DC, because it is the DC which enforces domain password policy, it is not the client computer which enforces domain password policy.

    Although it is common practice to set domain password policy within the DDP, it *can* be done in other ways (so you must check for all policies applied to your DC's).

    Are there any other domain policy objects being applied *to* your DC's ?

    At the client machine, you can use gpresult /h somefile.html
    This will output the RSoP into somefile.html, open that file with a browser to examine the complete policy set.


    Don [doesn't work for MSFT, and they're probably glad about that ;]


    The last screenshot that I posted is the group policy that I set in my domain controller and the 1st-3rd screenshots are from my PC. From my PC, I had use RSOP to check and those password policies in my PC shows "Not Configured".
    Monday, November 23, 2015 8:49 PM
  • Hi SzeYin,

    Most likely the issue you are experiencing is that you cannot change the password because you have already changed your password today and the Minimum Password Age is set to 1. That is, you cannot change your password more than once a day.

    Check other GPO's linked to the root of your domain for these password policies.

    Good Luck!

    Shane

    Hi Shane, thanks for your reply.

    I did not change my PC password at all.

    I tested a few PCs and they facing the same problem also.

    Monday, November 23, 2015 8:50 PM
  • The last screenshot that I posted is the group policy that I set in my domain controller and the 1st-3rd screenshots are from my PC. From my PC, I had use RSOP to check and those password policies in my PC shows "Not Configured".

    Yes, I understand, but that is not the correct diagnostic step, and not what I suggested.

    RSoP at the client machine is not relevant, because for domain password policy, you are needing to verify the RSoP *applied* on the DC, not at the client.
    GPMC/RSoP doesn't show you all the same information, compared to gpresult at the targeted machine (the DC).


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Tuesday, November 24, 2015 7:22 AM
  • Shedding some light into that question...
     > I did not setup the group policy in my domain controller. But when I
    > press "Ctrl + Alt + Del" and change my password, the system shows me
    > "Unable to update the password. The value provided for the new password
    > does not meet the length, complexity, or history requirements of the
    > domain". I've tried to disable the Password complexity in domain
    > controller but the problem still persist. Can anyone helps me in this
    > matter?
     
    1. If you configure password policies at domain level, ONLY the PDC
    emulator will apply them.
     
    2. The PDC emulator is the only computer in the whole network that will
    process password policies linked to the domain. And it will only process
    password policies linked to the domain, not anywhere else ("Domain
    Controllers" OU, for example).
     
    3. Any other DC will not process password policies regardless of where
    they are linked.
     
    4. Any other computer will not process password policies that are linked
    to the domain. It will only process password policies that are linked to
    its OU or one of its parents.
     
    5. "net accounts" is legacy - it doesn't know about complexity, so it
    will not show whether complexity is enabled or disabled. To verify the
    effective setting, create a RSoP report on the PDC emulator ("gpresult
    /h report.html" from an elevated commandline).
     
    Tuesday, November 24, 2015 11:04 AM
  • Shedding some light into that question...
     > I did not setup the group policy in my domain controller. But when I
    > press "Ctrl + Alt + Del" and change my password, the system shows me
    > "Unable to update the password. The value provided for the new password
    > does not meet the length, complexity, or history requirements of the
    > domain". I've tried to disable the Password complexity in domain
    > controller but the problem still persist. Can anyone helps me in this
    > matter?
     
    1. If you configure password policies at domain level, ONLY the PDC
    emulator will apply them.
     
    2. The PDC emulator is the only computer in the whole network that will
    process password policies linked to the domain. And it will only process
    password policies linked to the domain, not anywhere else ("Domain
    Controllers" OU, for example).
     
    3. Any other DC will not process password policies regardless of where
    they are linked.
     
    4. Any other computer will not process password policies that are linked
    to the domain. It will only process password policies that are linked to
    its OU or one of its parents.
     
    5. "net accounts" is legacy - it doesn't know about complexity, so it
    will not show whether complexity is enabled or disabled. To verify the
    effective setting, create a RSoP report on the PDC emulator ("gpresult
    /h report.html" from an elevated commandline).
     

    Then, may I know how to setup a password policy for user PCs through group policy?
    Tuesday, November 24, 2015 4:25 PM
  • just something to try did you check the user properties to see if the user cannot change password has been checked. also maybe try to change your password through AD users and computers once and then try again to change it through ctrl+alt+del.

    Tuesday, November 24, 2015 5:05 PM
  • just something to try did you check the user properties to see if the user cannot change password has been checked. also maybe try to change your password through AD users and computers once and then try again to change it through ctrl+alt+del.

    I'm not in the office these few days, probably I can try it on this Thursday.

    However, I have set my user properties as "Password Never Expire" in the AD, will it affect this problem?

    Tuesday, November 24, 2015 5:44 PM
  • just something to try did you check the user properties to see if the user cannot change password has been checked. also maybe try to change your password through AD users and computers once and then try again to change it through ctrl+alt+del.

    I'm not in the office these few days, probably I can try it on this Thursday.

    However, I have set my user properties as "Password Never Expire" in the AD, will it affect this problem?


    Shouldn't have any affect. But i did find a way to tell if you have complexity enabled at the domain level. Open or download the Active Directory Module for Windows PowerShell and type in Get-ADDefaultDomainPasswordPolicy Domain.com replace "domain.com" with your domain and it will let you know if your domain has complexity requirements. That is when you get back to work.
    Tuesday, November 24, 2015 7:26 PM
  • just something to try did you check the user properties to see if the user cannot change password has been checked. also maybe try to change your password through AD users and computers once and then try again to change it through ctrl+alt+del.

    I'm not in the office these few days, probably I can try it on this Thursday.

    However, I have set my user properties as "Password Never Expire" in the AD, will it affect this problem?


    Shouldn't have any affect. But i did find a way to tell if you have complexity enabled at the domain level. Open or download the Active Directory Module for Windows PowerShell and type in Get-ADDefaultDomainPasswordPolicy Domain.com replace "domain.com" with your domain and it will let you know if your domain has complexity requirements. That is when you get back to work.

    I plan to disable the password complexity for my AD as well as my user PCs.
    Tuesday, November 24, 2015 11:46 PM
  • > Then, may I know how to setup a password policy for user PCs through
    > group policy?
     
    Create a GPO, link it to the domain, move it upwards (above the default
    domain policy) and edit to your needs.
     
    Wednesday, November 25, 2015 2:34 PM
  • > Then, may I know how to setup a password policy for user PCs through
    > group policy?
     
    Create a GPO, link it to the domain, move it upwards (above the default
    domain policy) and edit to your needs.
     

    May I know why I can't edit from the Default Domain Policy?
    Thursday, November 26, 2015 6:58 AM
  • > May I know why I can't edit from the Default Domain Policy?
     
    You can - some people indeed advise to do so, I do not. Why? Because of
    dcgpofix which will reset the Default Domain Policy to its initial
    contents. And from time to time, this is required.
     
    But as said - you can.
     
    Thursday, November 26, 2015 11:37 AM
  • > May I know why I can't edit from the Default Domain Policy?
     
    You can - some people indeed advise to do so, I do not. Why? Because of
    dcgpofix which will reset the Default Domain Policy to its initial
    contents. And from time to time, this is required.
     
    But as said - you can.
     

    Thanks for your reply.

    I've checked all of the group policies in my AD, but there is no password complexity policy being set.

    I feel weird in this issue only.

    Friday, November 27, 2015 12:09 AM
  • I've checked all of the group policies in my AD, but there is no password complexity policy being set.

    I feel weird in this issue only.

    If your domain is "modern", maybe there is FGPP in use?

    https://technet.microsoft.com/en-au/library/hh831702.aspx#bkmk_view_resultant_fgpp


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Friday, November 27, 2015 6:47 AM
  • > I've checked all of the group policies in my AD, but there is no
    > password complexity policy being set.
     
    If it is not configured anywhere, builtin defaults apply. And that means
    complexity is enabled. AFAIK if you do not want complexity, you must
    disable it explicitly.
     
    Friday, November 27, 2015 9:15 AM
  • > I've checked all of the group policies in my AD, but there is no
    > password complexity policy being set.
     
    If it is not configured anywhere, builtin defaults apply. And that means
    complexity is enabled. AFAIK if you do not want complexity, you must
    disable it explicitly.
     

    May I know where can I disable from the builtin?
    Friday, November 27, 2015 9:20 AM
  • May I know where can I disable from the builtin?

    Try to disable it in your Default Domain Policy, select the checkbox of "Define this policy setting", then select "Disabled", click "Apply".
     
    Not just uncheck the option, and leave this policy setting as Not Defined. Please have a try and let me know if it works.
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Tuesday, December 01, 2015 2:26 AM
    Moderator
  • May I know where can I disable from the builtin?

    Try to disable it in your Default Domain Policy, select the checkbox of "Define this policy setting", then select "Disabled", click "Apply".
     
    Not just uncheck the option, and leave this policy setting as Not Defined. Please have a try and let me know if it works.
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Hi Ethan,

    Thanks for your reply.

    There are many policies has been set in Default Domain Policy and apply to all users, I can't disable the whole group policy. Can I disable the builtin only?

    Tuesday, December 01, 2015 2:46 AM
  • I mean disable the specific policy setting of "Password must meet complexity requirements" in the Default Domain Policy Object, not the GPO itself.
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    • Marked as answer by SzeYin Wednesday, December 09, 2015 6:44 AM
    Tuesday, December 01, 2015 3:17 AM
    Moderator