Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Change password message does not match PSO
Change password message does not match PSO [message #361639] Thu, 07 January 2010 03:28 Go to next message
Michel Timmerman  is currently offline Michel Timmerman
Messages: 3
Registered: January 2010
Junior Member
Hello all,

I have created a PSO in ADSI edit for fine grained password policies in
Windows Server 2008. The settings in this password policy include: complexity
yes, min password length 8, password history length 12, min password age 1
day, max password age 90 days and a few more that were required when I
created the policy. I applied this policy to a group in AD and placed one
user in this group.

When I logon with the user and try to change my password to something that
does not comply with this policy I get the message:"Your password must be at
least 7 characters, cannot repeat any of 4 previous passwords and must be at
least 0 days old".

When I change the password to something that matches my policy it is
accepted, so the policy works, but the Change password message the user sees
does not match the policy. This could be very confusing for users when it
goes live.

The client used is Windows XP SP3 (x86) with all updates installed. The user
is a regular domain user like any other in our domain. I've also tried it
with another user and I received the same incorrect message.

Has anyone seen this before or knows a solution to the wrong message?

Thanks, Michel
Re: Change password message does not match PSO [message #361663 is a reply to message #361639] Thu, 07 January 2010 04:15 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello Michel,

This is a known problem unfortunal with no solution until now, see "Password
complexity errors on Windows XP® client computers" in:
http://technet.microsoft.com/en-us/library/cc770842(WS.10).aspx

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hello all,
>
> I have created a PSO in ADSI edit for fine grained password policies
> in Windows Server 2008. The settings in this password policy include:
> complexity yes, min password length 8, password history length 12, min
> password age 1 day, max password age 90 days and a few more that were
> required when I created the policy. I applied this policy to a group
> in AD and placed one user in this group.
>
> When I logon with the user and try to change my password to something
> that does not comply with this policy I get the message:"Your password
> must be at least 7 characters, cannot repeat any of 4 previous
> passwords and must be at least 0 days old".
>
> When I change the password to something that matches my policy it is
> accepted, so the policy works, but the Change password message the
> user sees does not match the policy. This could be very confusing for
> users when it goes live.
>
> The client used is Windows XP SP3 (x86) with all updates installed.
> The user is a regular domain user like any other in our domain. I've
> also tried it with another user and I received the same incorrect
> message.
>
> Has anyone seen this before or knows a solution to the wrong message?
>
> Thanks, Michel
>
Re: Change password message does not match PSO [message #361711 is a reply to message #361663] Thu, 07 January 2010 05:50 Go to previous messageGo to next message
Michel Timmerman  is currently offline Michel Timmerman
Messages: 3
Registered: January 2010
Junior Member
Hello Meinolf,

I've read that article about the complexity message too, I did not get the
exact same message, so that's why I asked anyway.
But thanks for the quick response, do you know if this will be fixed in the
future or should I start convincing my manager to upgrade the clients to
Windows 7? :-)

Thanks, Michel

"Meinolf Weber [MVP-DS]" wrote:

> Hello Michel,
>
> This is a known problem unfortunal with no solution until now, see "Password
> complexity errors on Windows XP® client computers" in:
> http://technet.microsoft.com/en-us/library/cc770842(WS.10).aspx
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > Hello all,
> >
> > I have created a PSO in ADSI edit for fine grained password policies
> > in Windows Server 2008. The settings in this password policy include:
> > complexity yes, min password length 8, password history length 12, min
> > password age 1 day, max password age 90 days and a few more that were
> > required when I created the policy. I applied this policy to a group
> > in AD and placed one user in this group.
> >
> > When I logon with the user and try to change my password to something
> > that does not comply with this policy I get the message:"Your password
> > must be at least 7 characters, cannot repeat any of 4 previous
> > passwords and must be at least 0 days old".
> >
> > When I change the password to something that matches my policy it is
> > accepted, so the policy works, but the Change password message the
> > user sees does not match the policy. This could be very confusing for
> > users when it goes live.
> >
> > The client used is Windows XP SP3 (x86) with all updates installed.
> > The user is a regular domain user like any other in our domain. I've
> > also tried it with another user and I received the same incorrect
> > message.
> >
> > Has anyone seen this before or knows a solution to the wrong message?
> >
> > Thanks, Michel
> >
>
>
> .
>
Re: Change password message does not match PSO [message #361718 is a reply to message #361711] Thu, 07 January 2010 06:01 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello Michel,

The message there is just an example. I didn't hear about a fix until now,
will try to find an answer about. I think your manager will not upgrade the
machines just because of an error message. Make sure your helpdesk people
and the company members now the password requirements.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hello Meinolf,
>
> I've read that article about the complexity message too, I did not get
> the
> exact same message, so that's why I asked anyway.
> But thanks for the quick response, do you know if this will be fixed
> in the
> future or should I start convincing my manager to upgrade the clients
> to
> Windows 7? :-)
> Thanks, Michel
>
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello Michel,
>>
>> This is a known problem unfortunal with no solution until now, see
>> "Password complexity errors on Windows XP® client computers" in:
>> http://technet.microsoft.com/en-us/library/cc770842(WS.10).aspx
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> Hello all,
>>>
>>> I have created a PSO in ADSI edit for fine grained password policies
>>> in Windows Server 2008. The settings in this password policy
>>> include: complexity yes, min password length 8, password history
>>> length 12, min password age 1 day, max password age 90 days and a
>>> few more that were required when I created the policy. I applied
>>> this policy to a group in AD and placed one user in this group.
>>>
>>> When I logon with the user and try to change my password to
>>> something that does not comply with this policy I get the
>>> message:"Your password must be at least 7 characters, cannot repeat
>>> any of 4 previous passwords and must be at least 0 days old".
>>>
>>> When I change the password to something that matches my policy it is
>>> accepted, so the policy works, but the Change password message the
>>> user sees does not match the policy. This could be very confusing
>>> for users when it goes live.
>>>
>>> The client used is Windows XP SP3 (x86) with all updates installed.
>>> The user is a regular domain user like any other in our domain. I've
>>> also tried it with another user and I received the same incorrect
>>> message.
>>>
>>> Has anyone seen this before or knows a solution to the wrong
>>> message?
>>>
>>> Thanks, Michel
>>>
>> .
>>
Re: Change password message does not match PSO [message #361719 is a reply to message #361711] Thu, 07 January 2010 06:04 Go to previous messageGo to next message
Michel Timmerman  is currently offline Michel Timmerman
Messages: 3
Registered: January 2010
Junior Member
I have another idea.

The problem I was facing before is that we want a seperate password policy
for Users/Administrators/Service Accounts. So fine grained password policies
seemed like a good solution.

I know the new PSO's take precedence over a password policy defined in Group
Policy. So here's my thought: I make PSO's for Administrator and Service
Accounts and apply them to their respective groups.

Then I define another password policy in Group Policy that covers the rest
of the domain. That way I can still have seperate password policies and I
believe the Change password message for users will reflect the policy defined
in Group Policy.

So this way regular users will get the correct error message when their new
password does not comply with the policy. Am I right about all this?

Thanks again, Michel

"Michel Timmerman" wrote:

> Hello Meinolf,
>
> I've read that article about the complexity message too, I did not get the
> exact same message, so that's why I asked anyway.
> But thanks for the quick response, do you know if this will be fixed in the
> future or should I start convincing my manager to upgrade the clients to
> Windows 7? :-)
>
> Thanks, Michel
>
> "Meinolf Weber [MVP-DS]" wrote:
>
> > Hello Michel,
> >
> > This is a known problem unfortunal with no solution until now, see "Password
> > complexity errors on Windows XP® client computers" in:
> > http://technet.microsoft.com/en-us/library/cc770842(WS.10).aspx
> >
> > Best regards
> >
> > Meinolf Weber
> > Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> > no rights.
> > ** Please do NOT email, only reply to Newsgroups
> > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> >
> >
> > > Hello all,
> > >
> > > I have created a PSO in ADSI edit for fine grained password policies
> > > in Windows Server 2008. The settings in this password policy include:
> > > complexity yes, min password length 8, password history length 12, min
> > > password age 1 day, max password age 90 days and a few more that were
> > > required when I created the policy. I applied this policy to a group
> > > in AD and placed one user in this group.
> > >
> > > When I logon with the user and try to change my password to something
> > > that does not comply with this policy I get the message:"Your password
> > > must be at least 7 characters, cannot repeat any of 4 previous
> > > passwords and must be at least 0 days old".
> > >
> > > When I change the password to something that matches my policy it is
> > > accepted, so the policy works, but the Change password message the
> > > user sees does not match the policy. This could be very confusing for
> > > users when it goes live.
> > >
> > > The client used is Windows XP SP3 (x86) with all updates installed.
> > > The user is a regular domain user like any other in our domain. I've
> > > also tried it with another user and I received the same incorrect
> > > message.
> > >
> > > Has anyone seen this before or knows a solution to the wrong message?
> > >
> > > Thanks, Michel
> > >
> >
> >
> > .
> >
Re: Change password message does not match PSO [message #361728 is a reply to message #361719] Thu, 07 January 2010 06:13 Go to previous message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello Michel,

The basic Password policy must be defined on domain level in a GPO, on OUs
you can only use the FGPP as you already do it. So if you configure the FGPP
only for the admin/service accounts it should work for the "normal" user
accounts with the correct message.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> I have another idea.
>
> The problem I was facing before is that we want a seperate password
> policy for Users/Administrators/Service Accounts. So fine grained
> password policies seemed like a good solution.
>
> I know the new PSO's take precedence over a password policy defined in
> Group Policy. So here's my thought: I make PSO's for Administrator and
> Service Accounts and apply them to their respective groups.
>
> Then I define another password policy in Group Policy that covers the
> rest of the domain. That way I can still have seperate password
> policies and I believe the Change password message for users will
> reflect the policy defined in Group Policy.
>
> So this way regular users will get the correct error message when
> their new password does not comply with the policy. Am I right about
> all this?
>
> Thanks again, Michel
>
> "Michel Timmerman" wrote:
>
>> Hello Meinolf,
>>
>> I've read that article about the complexity message too, I did not
>> get the
>> exact same message, so that's why I asked anyway.
>> But thanks for the quick response, do you know if this will be fixed
>> in the
>> future or should I start convincing my manager to upgrade the clients
>> to
>> Windows 7? :-)
>> Thanks, Michel
>>
>> "Meinolf Weber [MVP-DS]" wrote:
>>
>>> Hello Michel,
>>>
>>> This is a known problem unfortunal with no solution until now, see
>>> "Password complexity errors on Windows XP® client computers" in:
>>> http://technet.microsoft.com/en-us/library/cc770842(WS.10).aspx
>>>
>>> Best regards
>>>
>>> Meinolf Weber
>>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>>> confers
>>> no rights.
>>> ** Please do NOT email, only reply to Newsgroups
>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>> Hello all,
>>>>
>>>> I have created a PSO in ADSI edit for fine grained password
>>>> policies in Windows Server 2008. The settings in this password
>>>> policy include: complexity yes, min password length 8, password
>>>> history length 12, min password age 1 day, max password age 90 days
>>>> and a few more that were required when I created the policy. I
>>>> applied this policy to a group in AD and placed one user in this
>>>> group.
>>>>
>>>> When I logon with the user and try to change my password to
>>>> something that does not comply with this policy I get the
>>>> message:"Your password must be at least 7 characters, cannot repeat
>>>> any of 4 previous passwords and must be at least 0 days old".
>>>>
>>>> When I change the password to something that matches my policy it
>>>> is accepted, so the policy works, but the Change password message
>>>> the user sees does not match the policy. This could be very
>>>> confusing for users when it goes live.
>>>>
>>>> The client used is Windows XP SP3 (x86) with all updates installed.
>>>> The user is a regular domain user like any other in our domain.
>>>> I've also tried it with another user and I received the same
>>>> incorrect message.
>>>>
>>>> Has anyone seen this before or knows a solution to the wrong
>>>> message?
>>>>
>>>> Thanks, Michel
>>>>
>>> .
>>>
Previous Topic:Would you stop for a moment?!
Next Topic:c:\$Extend\$UsnJrnl:$J:$DATA
Goto Forum:
  


Current Time: Thu Jan 18 20:45:35 MST 2018

Total time taken to generate the page: 0.03074 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software