I am in the process of deploying a AD domain based on Windows 2008 R2. All of our clients are Windows 7. In our default domain policy we've enabled password complexity. While we as Admins can set initial passwords for the users that meet complexity requirements,
we find that when users attempt to change theirs to passwords that do meet the requirements, the password is rejected. For example, if I attempt to change my password to L11soXtC it is rejected. This password meets 3 of the 5 classifications and does not have
3 or more consecutive characters from my current password (the first one I've had in the domain.)
Oddly enough some user's password changes are being accepted, but we can't really ask them what they are.
Interestingly enough, we then changed the domain policy to disable complexity requirements, pushed the new policy to a client, and still cannot change the domain password to the one above! So now I am a total loss to explain whether this is occurring at
the client level (whether it's Win 7 or 2008 R2 server) or the DC level, but I do know the DCs are not logging anything regarding these password change failures.
Anyone have any ideas on how to go about troubleshooting this? I've supported the use of complexity in 2003 R2 domains with XP and some Win 7 clients at another company and never run into issues.

There is an amazing pack of free network admin tools. click here to download it

On Fri, 16 Mar 2012 18:08:00 +0000, B G R wrote:

?Interestingly enough, we then changed the domain policy to disable complexity requirements, pushed the new policy to a client, and still cannot change the domain password to the one above! So now I am a total loss to explain whether this is?occurring?at
the client level (whether it's Win 7 or 2008 R2 server) or the DC level, but I do know the DCs are not logging anything regarding these password change failures.

I'm assuming you did this through Group Policy. Did you Disable or set it
to Not Configured? A common mistake is doing the latter which won't work
as that means "I"m not going to be bothered checking to see what the
current setting is (in your case it is enabled) and I'll leave whatever the
current setting on the client the way it is. To turn it off completely, you
need to set it to Disabled. Once you're sure that the policy has been
applied you can then set it to Not configured if you like.

Paul Adare
MVP - Forefront Identity Manager

http://www.identit.ca

This fortune soaks up 47 times its own weight in excess memory.

Need to support users over the internet? click here try our remote control online beta

It was enabled, but here's an update. Turns out the "minimum password age" was causing the issue. We had this set to 30 days and assumed that if Admins changed the password the user could change it again (without having to set "user must change password
on next logon.") It seems that the minimum password age is still enforced in this case. Do we have to enable "user must change password" to permit them to change the password after we've changed it using AD tools?

There is an amazing pack of free network admin tools. click here to download it

Enabled? Or disabled?Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

Need to support users over the internet? click here try our remote control online beta

Hi,
Thank you for the post.
Yes, you need to checked the "user must change password at next logon" to permit them to change the password. The policy force a user to change their password at next logon.

http://msdn.microsoft.com/en-us/library/windows/desktop/aa746510(v=vs.85).aspx

If there are more inquiries on this issue, please feel free to let us know.
RegardsRick Tan
TechNet Community Support

Need to support users over the internet? click here try our remote control online beta