Password Change Problem (W2KPRO & W2K3 SRV)

Password Change Problem (W2KPRO & W2K3 SRV): Posted by Hilaire Gagne on January 23rd, 2004; Hi All,

When trying to change a user password from a Win2K Pro
SP4 workstation using a Win2K STD Server DC, I get the
following error:

"Your password must be at least 7 characters and cannot
repeat any of the previous 1 passwords ..."

I have tried changing the Domain Admin/User password
after 1 (even 2) days and the same message appears. The
Default Domain Policy (DDP) has been set to:

Enforce Password History = 1 password remembered
Maximum Password Age = 42 days
Minimum Password Age = 1 days
Minimum Password Length = 7 characters
Password Must Meet Complexity = Disabled
Store Password Reversibel Encryption = Disabled

The Computer (member of Domain Computers) & Users (member
of Domain Users) are in an OU entitled:

Locations\cityname\Users
Locations\cityname\Computers

The DDP is at the Forest Level (default) and the Domain
Controller Policy (DDCP) which hasn't been changed from
factory default appears in the DC container.

Have used GPRESULT, SECEDIT, and ExtensionDebugLevel = 2,
Full Event Logging to confirm that the workstations are
getting the DDP ... everything looks normal.

Have disjoined and rejoined a workstation to see if it's
the problem ... no change.

Have used the Group Policy Modeling Wizard (GPMC SP1) to
return the policy settings for:

- Forest
- Domain
- User
- Computer

Event logs on server and workstations appear clean (no
warnings/errors) when attempting to change the password
using CTRL+ALT+DEL dialog ... still get the above
mentioned error.

I am able to consistently reproduce the problem on any
W2K3 SRV (ENT & STD) with W2KPRO SP4 (Fully patched -
WUPDT) Changing the DDP to the following resolve the
problem ... not a good solution and doesn't match other
similar deployments done using W2K SRV (ADV & STD):

Enforce Password History = 0 password remembered
Maximum Password Age = 42 days
Minimum Password Age = 0 days
Minimum Password Length = 7 characters
Password Must Meet Complexity = Disabled
Store Password Reversibel Encryption = Disabled

I would really appreciate some insight; I can't for the
life of me figure out what I missed.

Advance thanks,

HilaireG
hilaireg@eol.ca; Posted by marrk on January 24th, 2004; hello all, i just upgraded my Windows 2000 domain
controllers to windows 2003 and i am experiencing this
exact same problem and have not come up with a fix yet.
Any idea's?; Posted by Hilaire Gagne on January 24th, 2004; Hi Laura/Markk,

Laura, I have temporarily set "Password Must Meet
Complexity = Disable" in Group Policy and set the "Enforce
Password History = 0" to get around the problem.

Markk, I am able to consistently reproduce the problem on
any W2K3 SRV (ENT & STD) with W2KPRO SP4 (Fully patched -
WUPDT) Changing the Domain Default Policy to the
following resolves the problem ... not a good solution and
doesn't match other similar deployments done using W2K SRV
(ADV & STD):

Enforce Password History = 0 password remembered
Maximum Password Age = 42 days
Minimum Password Age = 0 days
Minimum Password Length = 7 characters
Password Must Meet Complexity = Disabled
Store Password Reversibel Encryption = Disabled

As of this post, I have approximately 30 hrs accumulated
on this problem (all of it personal afters hours time) ...
I am genuinely interested in solving it as I am concerned
that there may be deeper issues at work.

Any additional insight from the community would be
extremely appreciated. Please let me know if anyone needs
me to try additional tests (that I may have overlooked) or
provide logs (GP or other).

Kindest Regards,

HilaireG; Posted by 123 on January 25th, 2004; set the password in this :wAh91HsiqO,try it again.; Posted by Laura A. Robinson [MVP] on January 25th, 2004; circa Sat, 24 Jan 2004 12:17:09 -0800, in
microsoft.public.windows.server.active_directory, Hilaire Gagne
(hilaireg@eol.ca) said,
that is being rejected. I believe that you are not typing passwords
that meet the complexity requirements in the default policy.

Laura; Posted by Hilaire Gagne on January 25th, 2004; As per your requests,

Default Domain Policy in AD
===========================
Enforce Password History = 1 password remembered
Maximum Password Age = 42 days
Minimum Password Age = 1 days
Minimum Password Length = 7 characters
Password Must Meet Complexity = Disabled
Store Password Reversible Encryption = Disabled

Test Conducted
==============
Password tested = abcD1234
Attempted to change to = wAh91HsiqO
Time elapsed before attempt to change = 27 hrs
Result =

"Your password must be at least 7 characters and cannot
repeat any of the previous 1 passwords ..."

Used GPRESULT on W2K PRO SP4 station to confirm that
Security Policies had indeed been received from W2K3 AD
Server.

HilaireG; Posted by on January 27th, 2004; Hi Laura,

I can reset the user/administrator passwords for the
domain from the DC (Domain Controller) without problems.

The problem manifests itself at the workstations. If you
logging as a Domain user/administrator and press
CTRL+ALT+DEL and click Change Password - you get the
error I listed in the thread.

It doesn't matter how long you wait (1 day, 2 days, 1
week, etc.) - it will not allow password change. As you
saw from my previous thread, I have included the Default
Domain Policy settings applied.

From the settings, you can observe that the Complexity
Requirement option is not enabled at this time as I am
trying to isolate what is causing the problem.

Hope that helps clarify,

HilaireG; Posted by Hilaire Gagne on February 3rd, 2004; Hi Laura,

Sorry on the delay ... been out of town since my last
post and didn't have enough cycles to put to checking
these posts ... my bad :-(

I will make a point of checking these tomorrow during the
day. In the interim, are there specific settings you
want me to look at?

Thanks

HilaireG; Posted by Tkawika on February 18th, 2004; I am having the same issue with WinXP. Has anyone come
up with a solution? I have checked the reg settings and
I do not have either keys. We have gone through all
policies and still no luck. Any help would be much
appreciated. Samples of passwords try below.

Previous password:
54H0lly24
Tried passwords:
66N3wPswd
12N0t4Me

All the "O" are actually zero's. The notification is the
standard. 7 letters and the last x days.

TKawika; Posted by Bill on February 18th, 2004; Good day,
I'm having the exact same problem on a network I'm building. I've
tried removing the Group Policy / Password Policy (Not defined) on
both the Server (W2K3) and the workstation (WXP) to no affect. I'm at
a lost as to why I get the password complexity prompt when there is no
policy defined. My users can only change their password 1 time. Has
anyone found a solution? Thanks.

Bill
wrschaeffer (a) chevrontexaco.com; Posted by Todd on February 25th, 2004; All,

We have found that migrated users (migrated from NT4
domain) are fine, new users experience the problem
described by everyone in this thread.

Pretty consistent.

Very interested in further progress on this issue.

Todd

Similar Posts

Problem with map drives after AD password change (computer specifi (Help and Support) by PghTech
Problem with map drives after AD password change (computer specifi (Help and Support) by PghTech
problem when I have to change my network password.... (Microsoft Windows) by Dooma
domain password change problem (Microsoft Windows) by edongski
HPUX password change problem (UNIX / Variants) by Shijith