Announcement

Collapse
No announcement yet.

Can't change password when username is 5 characters or less

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Can't change password when username is 5 characters or less

    On Windows server 2003:
    When the length of a username has 6 characters or more, then I can change my password successfully.
    When the length of a username has less than 6 characters, and I try to change its password, I receive the following error:
    The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements.
    Any help with this would be much appreciated.
    Thanks!
    Last edited by rojosh; 20th February 2017, 16:02.

  • #2
    Start
    Control Panel
    Administrative Tools
    Local Security Policy
    Account Policies
    Password Policy
    Guess
    1 1 was a racehorse.
    2 2 was 1 2.
    1 1 1 1 race 1 day,
    2 2 1 1 2

    Comment


    • #3
      Hi
      I clarified (reedited) my question because I assume you didn't understand the question.
      thx

      Comment


      • #4
        Security policy settings are mandating how big a password must be. If this isn't a domain, the policy is local on the server. If it is a domain, your domain admins have set it through Group Policy. Password minimum complexity settings are in the same area of the Policy Editor tools, whichever way it's controlled.
        *RicklesP*
        MSCA (2003/XP), Security+, CCNA

        ** Remember: credit where credit is due, and reputation points as appropriate **

        Comment


        • #5
          As I understand it, it is not an issue with the password policy, it is with "too short a username" not allowing password changes.

          Suggest you create some new accounts (with names of varying lengths) and test further (with variable password lengths too). If it was a supported OS, I would raise this with MS, but since it is 2003, not much of a chance.

          FYI, I have used 2 and 3 letter user names successfully in 2003R2 and above (probably in 2003, but not sure)
          Tom Jones
          MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
          PhD, MSc, FIAP, MIITT
          IT Trainer / Consultant
          Ossian Ltd
          Scotland

          ** Remember to give credit where credit is due and leave reputation points where appropriate **

          Comment


          • #6
            Tom,
            Yes, you got it right.

            RicklesP,
            I already have played with username lengths below and above 6 letters.
            The password change works fine for a username above 6 letters long but not below 6.
            I don't believe that the error message I receive is the problem but rather a symptom.

            Comment


            • #7
              I've been a bit intrigued by this post so have been looking into it further.

              The sAMAccountName, this is the one that you see next to the pre Windows 2000 box, has a maximum length of 20 characters.

              https://msdn.microsoft.com/en-us/library/ms679635.aspx

              The UPN has a limitation of 1014 characters, from various sources as MSDN doesn't actually list a value.

              https://msdn.microsoft.com/en-us/lib...(v=vs.85).aspx

              You will see on both that there is no minimum size.

              As a test i have logged on to a DC and created a user with a single character and set an initial password. I have then gone into the users account and reset the password successfully.

              From the research that i have done i cannot find anything that would allow you to set a minimum username length.

              From what i can see the issue is not actually the creation of the account, you are successfully able to create a user account with an initial password, more of a you cannot change the password once it has been set.

              1. Create a user called w in AD.
              2. Set password to corp standard new user password.
              3. Logon to ADUC and change the password.

              Is this the process or do you follow some other method??

              Comment


              • #8
                Hi,
                I have disabled Password Complexity by following these instructions:

                How to Disable Password Complexity Requirements in Windows Server OS?
                http://www.askvg.com/how-to-disable-...2003-and-2008/

                I then did:


                gpupdate /force

                This was done last week. Yesterday I tried to create a username "w" which is 1 character long and then when
                I tried to input the password twice I received the same message:

                "Windows cannot set the password for w because:
                "The password does not meet the password policy requirements. Check the minimum password length,
                password complexity and password history requirements."

                This is the message I get when the USERNAME length is between 1 to 5 letters long. When it's 6 letters long
                then I succeed in creating the username.

                Comment


                • #9
                  I recall when we set up our 2003 systems years ago that turning off password complexity had no effect and that it was a known issue.
                  A recent poll suggests that 6 out of 7 dwarfs are not happy

                  Comment


                  • #10
                    Hi Blood
                    Thanks very much for that info.
                    Is there anything I can do about it?
                    I have SP2 installed and I rebooted the server but I still get same error about password complexity.

                    Comment


                    • #11
                      Well, it was not something we were concerned about because we require complexity. We discovered it because we had to call in a consultant after DNS stopped working after setting up a new domain and he tried changing passwords and pointed out that password complexity could not be disabled. However(!), a quick search discovered this: https://www.petri.com/disable_passwo...win2003_domain

                      Give it a go and see if it helps with your short usernames.
                      A recent poll suggests that 6 out of 7 dwarfs are not happy

                      Comment


                      • #12
                        Apologies for my entry of 20 Feb, talking about password length--I misread the original post too quickly. I've never heard of or seen a username length specification, anywhere. However, I do know of some 3rd-party software which integrates with the existing password mechanism of Windows and AD, and there're some additional rules to be followed. But even that doesn't specify a username length. I'll try it tomorrow and let you know.
                        *RicklesP*
                        MSCA (2003/XP), Security+, CCNA

                        ** Remember: credit where credit is due, and reputation points as appropriate **

                        Comment


                        • #13
                          Originally posted by Blood View Post
                          Well, it was not something we were concerned about because we require complexity. We discovered it because we had to call in a consultant after DNS stopped working after setting up a new domain and he tried changing passwords and pointed out that password complexity could not be disabled. However(!), a quick search discovered this: https://www.petri.com/disable_passwo...win2003_domain

                          Give it a go and see if it helps with your short usernames.
                          Hi
                          Already tried that and it didn't work.
                          Even if my username is above 5 letters, I still get error about password complexity if it doesn't
                          comply with password complexity rules.
                          thx

                          Comment


                          • #14
                            How many user accounts is this affecting? If the number is small rename the account, change the password, then change the name back again. Use a test account first to make sure it works as you expect it to.
                            A recent poll suggests that 6 out of 7 dwarfs are not happy

                            Comment


                            • #15
                              Ok i've just built a 2003 domain controller and the only way that i can replicate your issue is to input a password which does not meet the complexity requirements. I have user accounts with names ranging from one letter to 6 and i can successfully change each password, as long as it meets the minimum requirements.

                              Can you post what you are using for your password? I typically test using [email protected] as it meets the requirements for password complexity.

                              These are the requirements

                              Windows Server 2003 provides security policies that ensure that all users select strong passwords. Creating a password policy involves setting the following options in the Default Domain Group Policy object. These policies, with the exception of those settings related to password lifetime, are enforced on all users in a domain.

                              The default password filter (Passfilt.dll) included with Windows Server 2003 requires that a password:
                              • Is not based on the users account name.
                              • Contains at least six characters.
                              • Contains characters from three of the following four categories:
                                • Uppercase alphabet characters (AZ)
                                • Lowercase alphabet characters (az)
                                • Arabic numerals (09)
                                • Nonalphanumeric characters (for example, !$#,%)

                              As stated above, this policy is enabled by default.
                              Disabling the password complexity in the Default Domain policy outlined in the guide above resolves the issue for me.

                              Do you have any other password policies in GPO's?

                              Comment

                              Working...
                              X