I've got problems with setting new passwords via Powershell on Server 2012 R2:

Set-ADAccountPassword -Identity testuser48 
-OldPassword (ConvertTo-SecureString -AsPlainText "HelloPassword123#" -Force)
-NewPassword (ConvertTo-SecureString -AsPlainText "April456#@123" -Force)

I tried many different passwords but there's always an ADPasswordComplexityException.

FullyQualifiedErrorId : ActiveDirectoryServer:1325,Microsoft.ActiveDirectory.Management.Commands.SetADAccountPasword

Are there any other things I could try? All password complexity rules (incl. length, ...) are disabled.

• Moved by pbbergsMVP Friday, April 11, 2014 11:45 AM

Moving to the scripting forum

Are you running this as the user or with an admin account?  Try it without the -oldpassword parameter, I was seeing the same issue as you but when I just used 

set-adaccountpassword -identity user -newpassword (convertto-securestring -asplaintext P@`$`$w0rd1 -force)

it worked OK.  Note that I did not use " " around the password and I had to escape the special characters.

I'm running with admin account but the goal should be to run it under a normal user.

With the -reset parameter instead of the -oldpassword it works but only with the admin user. This script is called from a webapp on IIS under normal user privileges so using -reset is not really an option.

Is there any other way to deal with this problem? We really want to give the users a possibility to change their password themselves over the internet.

Is there any other way to deal with this problem? We really want to give the users a possibility to change their password themselves over the internet.

That's going to be tough to secure properly.

Alternative - use OWA.

I can't see a problem with that - the application is secured via AD FS and prompts for the old password when trying to change the password. If only the Powershell cmd-let would work ...

We do not have OWA on-premise as we are using Office 365.

Sadly we need an on-premise AD to fulfill our needs and there is no two-way sync with DirSync.

• Edited by Christoph Fi Friday, April 11, 2014 2:26 PM clarification

I agree with David.

That being said, to answer your question - is it possible that you have a password history issue you're running into while testing this?  The error I'm getting is probably the same as yours:

Set-ADAccountPassword : The password does not meet the length, complexity, or history requirement of the domain.

I am using a test account that I literally just created, and the account is set to not force the user to change password upon first logon.  Because this example is changing the password rather than resetting it, the password age may not be old enough when you're executing the command, so you get the generic failure.

Yes, the error is the same.

I already removed all password complexity and history rules. The error is still there.

I removed the rules in the Default Domain Policy - this is the right place I suppose?

Check RSoP for the user account, it may also be specified in another policy.

Another alternative - if your organization is small enough, this is free forever:

http://www.nervepoint.com/en/

very strange - I just found out that I have to set both minimum and maximum password age from undefined to 0 in order for this command to work.

Thanks girls (and guys) for steering me into the right direction!

• Marked as answer by Christoph Fi Friday, April 11, 2014 3:13 PM

Default Domain Policy is typically where the setting is applied, but that doesn't mean it isn't also set somewhere else.  I tried on a test domain and disabled the password age and history related settings and still get the same error....

Edit:  I had disabled mine, the values were still in place.  As you noticed, setting those to 0 is th