none
Unable to reset user passwords from ADUC

    Question

  • I am unable to reset user passwords from our 2k8 r2 DC.  I am out of ideas, so hopefully someone can give some advice.  when trying to reset any user's password i get the following error popup:

    Windows cannot complete the password change for "user" because:  the password does not meet the password policy requirements.  Check the minimum password length, password complexity and history requirements.

    I have verified that there is no longer any password policy defined through GP and GP Result shows none is being applied to my test user - or any user for that matter,  yet this error persists.  I cannot locate any other place where this might be set.  I have verified that the DCs (I have a primary and backup) are replicating properly.  I also verified there was no custom password key created or installed.  I am really at a loss so I'd appreciate any input here.

    Tuesday, October 04, 2016 12:59 PM

Answers

  • Am 04.10.2016 um 14:59 schrieb John.Alley:
    > I have verified that there is no longer any password policy defined
    > through GP
     
    "not defined" means, there is no definition based on GP, but there still
    is on comming from the domain head.
    (adsiedit.msc -> dc=your,dc=domain)
     
    If you want NO password policy, you need to define e.g. length=0
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    • Marked as answer by John.Alley Wednesday, October 05, 2016 2:44 PM
    Tuesday, October 04, 2016 1:03 PM

All replies

  • Am 04.10.2016 um 14:59 schrieb John.Alley:
    > I have verified that there is no longer any password policy defined
    > through GP
     
    "not defined" means, there is no definition based on GP, but there still
    is on comming from the domain head.
    (adsiedit.msc -> dc=your,dc=domain)
     
    If you want NO password policy, you need to define e.g. length=0
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    • Marked as answer by John.Alley Wednesday, October 05, 2016 2:44 PM
    Tuesday, October 04, 2016 1:03 PM
  • I have verified that there is no longer any password policy defined through GP and GP Result shows none is being applied to my test user - or any user for that matter

    Hi,
    I agree with Mark that you could manually set the password policy in the group policy to disable password policy
    In addition, have you deployed FGPP policy in the domain? You could also check the msDS-ResultantPSO attribute of users in ADUC to check it, you could follow the steps from: https://technet.microsoft.com/en-us/library/cc770848(v=ws.10).aspx
    If the value of the msDS-ResultantPSO attribute is Null, the Default Domain Policy is applied to the selected user account.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, October 05, 2016 3:37 AM
    Moderator
  • absolutely right Mark.  I checked the attributes through ADSI and, sure enough it was configured.  I have changed the attributes and I am now able to change passwords for domain users as desired.  

    thanks for the assistance!

    John

    Wednesday, October 05, 2016 2:47 PM
  • Thanks for the reply Wendy.  I verified there was nothing set as far as FGPP is concerned prior to my post, I should have stated that.  

    John

    Wednesday, October 05, 2016 2:50 PM
  • Am 05.10.2016 um 16:47 schrieb John.Alley:
    > absolutely right Mark.  I checked the attributes through ADSI and,
    > sure enough it was configured.  I have changed the attributes and I
    > am now able to change passwords for domain users as desired.
     
    Do not be scared at your next view inside the Default Domain Policy ...
    the values from Domain Head will be written inside DefDomPol.
     
    DefDomPol and Domain Head have a co-existance, if you change it on one
    or the other, the values will be synchronized.
     
    One reason, why DefDomPol is always {31B2....}
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Wednesday, October 05, 2016 3:39 PM