Re: GPO stumper - Complexity Req error on pwd change...

Hi,

The hotfix you are mentioning above will not solve the problem you are
having here.
The issue here is that you have the policy set with a minimum password
age of 30 days meaning that of coarse the password cannot be changed
until then.
The 3 out of the 4 character groups only works for the following
English uppercase characters (A through Z);
English lowercase characters (a through z);
Numerals (0 through 9);
Non-alphabetic characters (such as !, $, #, %)

The amount of characters HAS to be met
The password history HAS to be met meaning cannot use previous
passwords
The minimum and maximum password age HAS to be met
And you cannot use your name

This hotfix only fixes the message the enduser receives when they fail
to meet the requirements within the policy.

Pre hotfix
Your password must be at least x characters; cannot repeat any of your
previous x passwords; must contain capitals, numerals or punctuation;
and cannot contain your account or full name. Please type a different
password. Type a password which meets these requirements in both text
boxes

Post hotfix
The password supplied does not meet the minimum complexity
requirements. Please select another password that meets all of the
following criteria:
is at least x characters;
has not been used in the previous x passwords;
does not contain your account or full name;
contains at least three of the following four character groups:

English uppercase characters (A through Z);
English lowercase characters (a through z);
Numerals (0 through 9);
Non-alphabetic characters (such as !, $, #, %)

Like Neo mentioned you should not disable the policy as then you will
not have a policy at all and most likely tattoo the registry.
What you should do is lower the minimum password age to something close
to the two weeks you have mentioned. After all the clients receive the
settings, they will be able to reset their passwords.
Or wait the 30 days.

The hotfix is still a good idea as it gives the enduser a more clear
message.

Good luck

Harj Singh
Power Your Active Directory Investment
www.specopssoft.com


neo [mvp outlook] wrote:
I wouldn't disable the GP. Can you change the "Minimum password age" in the
GPO to something less than 14 days?
(This is found at Computer Configuration > Windows Settings > Security
Settings > Account Policies > Password Policy.)

/neo

"Angela" <Angela@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:BF3ACFE1-7212-4F61-9149-9D8B66B1AD6E@xxxxxxxxxxxxxxxx
Scenario is, Complexity GPO is in effect. I sent an email out to everyone
in
my organization that I wanted them to change their password, and they did.
One of the big wigs came in two weeks later and mandated another password
change becuase of a seminar he attended. Another email went out and people
are attempting to change their pwds again but all are getting the error
which
I cant seem to find resolution to: "The password supplied does not meet
the
minimum complexity requirements. Please select another password that meets
all of the following criteria; is at least 8 characters; has not been used
in
the previous 5 passwords; must not have been changed within the last 30
days;
does not contain your account or full name; contain at least three of the
following four character groups: English uppercase characters (A through
Z);
Enlish lowercase characters (a through z); Numerals (0 through 9);
Non-alphabetic characters (such as !, $, #, %). Type a password that meets
these requirements in both text boxes."

I don't want to disable the GP but still want people to be able to change
their passwords, how can I do this? (btw, I'm possitive the passwords they
were trying to use/change to fell within the requirements. The "...within
the
last 30 days" was the only requirement NOT met - which makes me suspect
the
GP) - I wonder if http://support.microsoft.com/?kbid=821425 is the fix??

Thanks in advance...

.

Relevant Pages
Quantcast