none
Users cannot change password does not accept new password. RRS feed

  • Pregunta

  • Hello I have a couple of users who are on Windows 7 Ultimate that are attached to our Windows 2003 domain.

    I am having trouble when their passwords expire or just when they try to change their password, when they log in they receive the normal your password has expired or is about to expire, so they try and change it and they get an error that the new password does not meet minimum requirements.

    Now I know for certain that the new password they are trying meets our domains minimum requirements, so is there a setting in WOndows 7 that needs changing locally?
    jueves, 5 de noviembre de 2009 15:30

Todas las respuestas

  • Thanks for your reply.

    The first KB article shows the error I am getting but I know that users are definitely meeting the requirements.

    Also Windows 7 is not on the list of affected OS'
    viernes, 6 de noviembre de 2009 9:24
  • Hi Dean132,

    Could you please create a new Test OU on the server without Group Policy and put Windows 7 computers in this new OU?

    We can check whether the computers are affected by Domain policy or not.

    Hope it helps.

    Thanks.
    lunes, 9 de noviembre de 2009 6:41
  • I'm having a similar problem. I've got a new windows 7 user on a 2003 domain who cannot update his password as it 'doesn't satisfy complexity requirements'.

    I've tested it myself with a password that certainly does satisfy the requirements but receives the same error.

    The computer is in contact with the domain controller and the user isn't locked out.

    Policy is being applied to the computer/user.

    Is this a known issue or is there a fix?

    miércoles, 6 de octubre de 2010 15:39
  • How to Troubleshoot Active Directory Password Policy Settings
    http://www.anitkb.com/2010/08/how-to-troubleshoot-active-directory.html

    "The password does not meet the password policy requirements. Check the minimum password legth, password complexity and password history requirements."

    One thing that most people forget is that when complexity is enabled, the password cannot contain the user's entire Account Name or entire Full Name. The Account Name and Full Name are parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the Account Name or Full Name are split and all sections are verified not to be included in the password. There is no check for any single character or any three characters in succession.

     


    Visit: anITKB.com, an IT Knowledge Base.
    miércoles, 6 de octubre de 2010 16:53
  • I am having this issue with a 2008 environment.  I have had to reset the password in AD to give him access and now he cannot change his password.  I have tried myself with extremely long, complex passwords but it will not take it.  Any suggestions?
    martes, 2 de noviembre de 2010 17:47
  • I tried logging into a 2003 box and saw that it's error said that the minimum age of the password is 30 days even though the policy is set to 0 days.
    martes, 2 de noviembre de 2010 21:29
  • Just FYI, I was having this same issue.  After much wrangling and searching, I found a post that explained you cannot have group policy password policies applied by OU's -- there must be only one password policy applied, and it must be applied at the domain level.

     

    After I cleaned up my Group Policy so that I only had a single password policy, applied to the root of my domain, my users were able to change their passwords again.

     

    Hope this helps!

    -pete

    • Propuesto como respuesta Peter Grace martes, 16 de noviembre de 2010 14:58
    martes, 16 de noviembre de 2010 14:58
  • Hello Peter,

    Just for clarification...It is technically possible to have more than one password policy linked in the domain.  However, when targetting DOMAIN USERS, you can only have ONE domain password policy, and it MUST be linked to the domain object.

    If you have a GPO with Policy settings linked to an OU, the policy is valid, but it will not apply to the user objects stored in that OU.  Password Policies are stored within the Computer Configuration of a GPO.  Therefore, a password policy would be applied to computer objects.  If you link it to an OU, the local accounts defined on the computers within the OU will be affected.

    Now with AD 2008, you can also create Fine Grained Password Policies which supplement the domain password policy and you are able to target users and groups.


    How to Implement an Active Directory Password Policy
    http://www.anitkb.com/2010/03/how-to-implement-active-directory.html

    How to Troubleshoot Active Directory Password Policy Settings
    http://www.anitkb.com/2010/08/how-to-troubleshoot-active-directory.html


    Visit: anITKB.com, an IT Knowledge Base.
    • Propuesto como respuesta Jimmy Colorado jueves, 13 de enero de 2011 17:50
    martes, 16 de noviembre de 2010 23:34
  • Password Policies are set on computer objects however, in a domain, passwords are not managed by the local computer but rather by the DOMAIN CONTROLLER and therefore you need change the settings in a policy that will be applied to the DOMAIN CONTROLLERS.

    This worked for me.

    -Jimmy

    martes, 8 de marzo de 2011 14:09
  • @Jimmy,  I am not sure if you understood my last posting based on your response. 

    Let me clarify for the benfit of everyone reading this thread...Password Policies are not really user based policies.  If you look at a GPO, you'll notice that password policies are contained in the computer configuration section.  The GPO containing the password policies, MUST be linked to the domain object level.  Domain Controllers (which are computers) read this policy and apply the settings to domain user objects.

    If you were to apply a GPO containing password policies at the OU level, the computers within the OU will read from this policy, and apply the policy to any local user accounts stored on those systems.

    I hope this helps clarify my posting.

     


    Visit: anITKB.com, an IT Knowledge Base.
    martes, 8 de marzo de 2011 20:27
  • I had the same problem. Looking at the password policy settings it said that the minumum password age was set to 1 day. I just had to wait a day to be able to change my password.

    Kind regards,

    JP

    martes, 26 de junio de 2012 11:51
  • Hi I had a similar issues and realised that the SD has not set the flag to force password on first logon but just told the user to reset their password once they succesfully logged on. 

    Security by obsurity strikes again!  If only the message mentioned the violation was actually the minimum password age you would find the root cause instantly.

    The password policy also defines a minimum password age of 30 days.  So if you don't set that flag the user can't change his password for 30 days. 

    miércoles, 15 de mayo de 2013 10:43