I have one user in my AD domain who seems to not be able to self-select a password. I may have another one, but they're on a different enough password-expiration schedule that I can't remember who it is right now.
I can set a password via ADU&C just fine, but when he tries it via C-A-D he gets the "doesn't meet complexity" message. Figuring he was just doing something like 'pAssword32', I did some troubleshooting of my own and sure enough it doesn't want to take a password that way.
He's one of our users that habitually uses a local account and then maps drives using his AD credentials so he doesn't get the your password will expire in 4 days, maybe you should change it prompts, so he's a frequent "my password expired, can you fix it" flyer.
I don't want to keep having him set it via ADU&C over my shoulder every N days. I'm just fine setting temp passwords of 48 characters of keyboard-slamming and letting him change it something memorable.
My environment is at the Windows 2008 R2 functional level, and I am using fine-grained password policies. In fact, I have two such policies:
- For normal users (minimum length, remembered passwords)
- For special utility accounts
The password complexities I've tried match both policies for length and char-set selection.
The permissions on the User object themselves look normal, SELF does indeed have the "Change Password" right.
Is there some other place I should be looking for things that can affect this?
Best Answer
It turns out I was insufficiently observant, overly paranoid, or perhaps a bit... BOFHy when I set the fine-grained password policies. Looking closely at them (ADSI edit is not a great interface for that, too much other stuff) I noticed that I am setting a minimum password age.
Apparently, admin-resets do indeed reset this aging timer to zero.
Apparently, Windows reports the password-complexity error when it is too soon to reset a password.
Unless I want to change it, my "reset me!" users will have to put up with (for example) 2 days of the impossible-to-remember-but-very-long-password dunce-cap before they can set it to something they can remember.
Maybe this is just the hammer I need to urge them into straight up domain accounts.