none
Some users (and all newly created users) cannot change password (new password is not saved - no error appears)

    Question

  • We have a Windows 2012 Standard Domain Controller.

    We have about 30 active users. There was a request to enforce complexity policies to the passwords of the user.

    Until now all users had the same (complex) password with no expiration and no rights to change password.

    We unchecked these specific checkboxes and asked the users to change their passwords.

    Most users were able to change the password successfully.

    A few users had the following (really strange) behavior.

    Although they changed their password (by pressing ctrl+alt+del) and they got the message "password successfully changed, next time they tried to log in, they couldn't login neither using the new password, nor the old one. The only way they could login was by leaving the password blank.

    The same thing happens if I reset the password from the domain controller. The new password doesn't work and only blank password works. This happens to 3-4 users and every new user I create. Even if i check the option to change the password the first time they log on, when i input the new password, it says success and then tries to login but returns wrong password error (and can login with blank password)

    Not two weeks ago before this happened, i had created 2 new users. One of those users successfully changed his password, the other one couldn't.

    The Domain Controller is the only DC in the enviroment. (there was an old 2003 server but it broke down and i had to seize the fsmo roles)

    Prior to this i was also experimenting with ADSelfService plus for dictionary checking the passwords and custom password filters (openpasswordfilter) but i restored the one change to the registry and uninstalled ADSelfService.

    When using the command net user Username the last password change appears to be correct (but the only password that works is blank password)

    In i computer that the primary user was able to change his password, i tried to login with one of the users that have the problem and change it from there, but the problem persists.

    I also tried unjoining and rejoining the computer to the domain.

    I also tried creating a new user by copying an existing user that was able to change his password, but the problem persisted.

    Here is the link to the thread i opened, where they suggested i asked the question in this specific forum.

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/0c875284-68f1-4e27-97ee-d21d84143cea/some-users-and-all-newly-created-users-cannot-change-password-new-password-is-not-saved-no?forum=winserversecurity

    The steps i took, following the suggestions of the guys that were kind enough to help me, were that i removed every entries of the old domain controller manually from dns and active directory sites and services.

    Adsiedit returns no relevant error and netdom query fsmo shows that my current domain controller has all roles

    Has anyone come across to anything similar?

    Any help would be appreciated.

    Monday, March 13, 2017 11:44 AM

Answers

  • So sorry for not updating my case guys.

    I managed to resolve the problem after all today.

    I think  the problem was with open password filter experiment i made.

    The tutorial said that i have to create a service by using the following command

    > sc create OPF binPath= <full path to exe>\opfservice.exe start= boot
    

    after removing this service and rebooting the server, the passwords issue was resolved.

    As a matter of fact Wendy,I tried logging in with username@domain but it didn't work.

    Thank you very much for your interest in my case

    PS. should i mark my reply as the solution?

    • Proposed as answer by Rafa de Lucca Friday, March 17, 2017 5:28 PM
    • Marked as answer by noegr Friday, March 17, 2017 6:19 PM
    Friday, March 17, 2017 5:18 PM

All replies

  • Quick Update

    I was worried that maybe the password was not correctly saved on active directory.

    So i did the following steps

    I changed the password using the powershell command

    Set-ADAccountPassword -Identity user

    First, it asks for the old password

    When i input the password I have set from ADUC it proceeds


    When i input a blank password it doesn't (wrong password)

    This shows that the password is correctly saved inside active directory

    When i input a password that was used previously, it shows me an error about not following history requirements (normal)

    After that, i used the function from this link (http://serverfault.com/questions/410240/is-there-a-windows-command-line-utility-to-verify-user-credentials) to check whether the password was saved.

    And here is where it gets really weird

    lets say we have set the password to Iop123!! through powershell.

    here are the results of the function that checks credentials

    PS C:\Users\administrator.dom> Test-ADAuthentication "dom\user" "Iop123!!"
    False
    PS C:\Users\administrator.dom> Test-ADAuthentication "dom\user" ""
    True
    PS C:\Users\administrator.dom> Test-ADAuthentication "user" ""
    False
    PS C:\Users\administrator.dom> Test-ADAuthentication "user" "Iop123!!"
    True

    So the password is blank when i use domain\ before username, but it has the right value when i it doesn't have the domain in front.

    Since the workstation is trying tp authenticate using domain\user format it fails to authenticate with password "Iop123!!"

    How is this even possible?

    Monday, March 13, 2017 12:43 PM
  • Hi,
    Have you tried to log in user with username@domain account format? If not, please have a try and see any results.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, March 14, 2017 9:49 AM
    Moderator
  • Hi,

    Was your issue resolved? If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions. If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, March 17, 2017 9:20 AM
    Moderator
  • So sorry for not updating my case guys.

    I managed to resolve the problem after all today.

    I think  the problem was with open password filter experiment i made.

    The tutorial said that i have to create a service by using the following command

    > sc create OPF binPath= <full path to exe>\opfservice.exe start= boot
    

    after removing this service and rebooting the server, the passwords issue was resolved.

    As a matter of fact Wendy,I tried logging in with username@domain but it didn't work.

    Thank you very much for your interest in my case

    PS. should i mark my reply as the solution?

    • Proposed as answer by Rafa de Lucca Friday, March 17, 2017 5:28 PM
    • Marked as answer by noegr Friday, March 17, 2017 6:19 PM
    Friday, March 17, 2017 5:18 PM