No announcement yet.

Users cannot change passwords...?

  • Filter
  • Time
  • Show
Clear All
new posts

  • Users cannot change passwords...?

    I am having password issues for 2 out of 5 domains in our forest. Each of the default domain policies is the same and yet only 2 domains are experiencing problems. Our default domain policy has these password policy settings:

    number of passwords remembered: 4
    maximum password age: 90 days
    minimum password age: 80 days
    minimum password length: 6 characters
    password complexity: Disabled
    password reverse encryption: Disabled

    After 80 days they are prompted with a warning that their password is going to expire in 10 days and that they can change it now if they want...

    When they try to change it, they receive the error that "your password must contain at least 6 characters and cannot repeat any of your 4 previous passwords" I tried to change a password to a randomly complex string and still received this error. It will not allow them to change passwords.

    DCs: Win2k3 Server
    Client: Win2k/Winxp

  • #2
    run rsop.msc on PDC emulator and verify that the password complexity settings are actually applied.
    After that (if the problem still persists) try granting yourself explicitly full control over the user object and try resetting the password for the account.

    The idea is to try to figure out whether this is permissions or policy issue.
    Guy Teverovsky
    "Smith & Wesson - the original point and click interface"


    • #3
      If I go to the server and select the "user must change password at next logon" box, everything works fine. The complexity settings are actually disabled, the only requirement applied is that the passwords must be 6 characters long.

      The problem seems to only appear when the message starts coming up saying that the user has "X" amount of days before the password expires. After that, unless I check the "must change password" box under each user account, the users cannot change their password... that includes myself, a domain admin.

      I checked several individual machines, the effective settings on the local machine are exactly what's enforced by the default domain policy.

      Hope this will give a little more insight?


      • #4
        I'm curious if the users are using something too similar to the previous password. In my experience if you do use something too close it will reject the new password.

        Try using the same password but spell it backwards and see if it takes it.

        ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **