none
GPP Local User and Group creation

    Question


  • Hi
    We are facing issue in creating user account in Windows servers and computers using GPP local user and Group option. We have configured a policy to create local user account named "test" with password "test@12345". When I am checking the servers I find that the user account is not getting created. I have checked the event viewer and found Event ID 4098 source Group Policy User and Group. It says the GPP user creation fails because password complexity not met.
    We have password complexity requirement enabled in all our servers which is a mandate. I have tried creating the account manually with same password it works fine.
    I have tried to create the user with different password like "password@123" using policy then it gets created.
    I think due to password complexity the user name as part of password is not acceptable but how it works when we create it manually.
    I have a requirement that I have to create account with same password "test@123" as it is embedded in many applications.
    Please suggest how to achieve the same and why are we able to create account manually and not through policy
    Friday, February 12, 2016 8:44 AM

All replies

  • Hi

     "test" with password "test@12345". >>> You could not use user account name on password.(test).that's why it fails with password complexity and you are able set password@123

    account manually with same password it works fine >>> So i guess your account is member of administrators group,so administrator have administrative rights.

    Also you can configure passwords with LAPS,

    https://www.microsoft.com/en-us/download/details.aspx?id=46899


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur


    • Edited by Burak Uğur Friday, February 12, 2016 9:17 AM
    Friday, February 12, 2016 9:15 AM
  • If Password must meet complexity requirements security setting is enabled, then passwords must not contain the user's entire samAccountName (Account Name) value or entire displayName (Full Name) value.
     
    I have tested the same in my local lab, I'm unable to create a "test" account with "test@12345" as the password manually. Any special configuration in your environment? Could you please more details on how you did this?
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Wednesday, February 17, 2016 5:22 AM
    Moderator
  • Hi,

    Thanks for the reply. When I login to the server with Admin ID and create local user manually as test with password test@123 it is getting created wherein when I apply GPP to create the user through GPP it fails with error that password does not meet complexity requirement.

    The Password policy for complex password is applied on the server through Group Policy

    If the ID is not getting created because of complexity requirement then why is it getting created when done manually by logging into the server from computer management.

    I cannot use any script as the servers cannot be rebooted.

    Wednesday, February 17, 2016 12:03 PM
  • Hi

      When I login to the server with Admin ID and create local user manually as test with password test@123 it is getting created  >>> it is OK now,so you create a local user account not a domain user.But already mentioned you can not use Samaccount name (user name) on the password for domain user...Cause for domain user password policy is valid.


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur


    Wednesday, February 17, 2016 12:10 PM
  • Hi

    I am trying to create local user only using GPP under Computer configuration/Preference/Control Panel/local user and Group option. It is same as creating user manually on the server

    Wednesday, February 17, 2016 12:26 PM
  • As explained above, this is because when you create it by using GPP, it will actually be a domain user first, and the password policy will be applied to it.

    If you go to the local server and create it directly, the password policy will not affect this account. Hope this make it clear.

    Monday, February 29, 2016 7:05 AM