none
Minimum password age set to 0 - Still unable to change password through OWA immediately due to password complexity related policies.

    Question

  • I am having a hard time understanding why users are still unable to change their password immediately even when Minimum Password Age is set to 0.

    Scenario:

    I set a complex password for the User to begin with.  User takes laptop home, logs into the VPN OK and wants to change his password.  I ask him to try it through Outlook Web Access.  Denied, due to password policies although we have triple checked that our minimum password age is set to 0 at the domain level (and no other similar/same or conflicting password  policies are applied at the OU level). 

    The ONLY way he is able to change his password is if I set the attribute "User must change password at next logon", and the User locks their PC and upon unlocking, they can successfully change their password.

    This leads me to believe that Windows 10 Pro's local GPO is biting us, as it's default is set to 1.  However, even when I changed it to 0, why can't he change his password via OWA immediately?  (I understand that technically, although his Windows 10 machine is set to 0 too, OWA is not considered local)  So is it because Exchange itself is set to 1 day or more, locally?  Is there another place I should be checking?  I've checked these levels - domain, OU and local.  Anywhere else and why?  I have really never understood the Domain Controller's policies.  Can someone shed some light?

    Thanks!

    Sleepless_in_MN

    Wednesday, March 08, 2017 3:27 PM

Answers

  • Hi,

    Referring the following similar thread, it seems that the behavior is excepted, as the computer would be using cached credentials (the original password) until it was connected to the VPN and was thus connected to the domain.  Once on the VPN they should be connected to the domain and thus locking/unlocking the computer would allow it to pick up the new credentials.

    https://community.spiceworks.com/topic/882445-how-to-allow-users-to-reset-their-password-over-vpn

    https://community.spiceworks.com/topic/242476-domain-password-computer-password-do-not-match

    Please Note: Since the web sites are not hosted by Microsoft, the links may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Marked as answer by guesthost Friday, March 24, 2017 1:05 PM
    Thursday, March 23, 2017 1:34 AM
    Moderator

All replies

  • Hi,

    What is the Maximum password age set to?

    The Minimum password age policy setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If Maximum password age is between 1 and 999 days, the minimum password age must be less than the maximum password age. If Maximum password age is set to 0, Minimum password age can be any value between 0 and 998 days.

    https://technet.microsoft.com/en-us/library/hh994570%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396


    Regards,
    Rafic

    If you found this post helpful, please give it a "Helpful" vote.
    If it answered your question, remember to mark it as an "Answer".
    This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!


    Wednesday, March 08, 2017 5:13 PM
  • Hi,

    I am checking how the issue is going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, March 13, 2017 9:47 AM
    Moderator
  • I apologize for the delay in response. It was indeed Windows 10 Professional's LOCAL Minimum Password Age setting that was set to 1 day and needed to be set back to 0, however he could only change his password by LOCKING his laptop while connected to the VPN, then unlocking.  Upon unlocking it, he was then prompted to change his password.  Outlook Web Access was of no help in this entire password change scenario.
    Monday, March 20, 2017 6:55 PM
  • Hi,

    Referring the following similar thread, it seems that the behavior is excepted, as the computer would be using cached credentials (the original password) until it was connected to the VPN and was thus connected to the domain.  Once on the VPN they should be connected to the domain and thus locking/unlocking the computer would allow it to pick up the new credentials.

    https://community.spiceworks.com/topic/882445-how-to-allow-users-to-reset-their-password-over-vpn

    https://community.spiceworks.com/topic/242476-domain-password-computer-password-do-not-match

    Please Note: Since the web sites are not hosted by Microsoft, the links may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Marked as answer by guesthost Friday, March 24, 2017 1:05 PM
    Thursday, March 23, 2017 1:34 AM
    Moderator