"The Password Cannot Be Changed at This Time" Error Message When You Try to Change a User's Password (273004)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
This article was previously published under Q273004

SYMPTOMS

When you try to change a user's password, you may receive the following error message:
The password cannot be changed at this time.
This error can occur when the user is logged on to a client or to the server's console.

When you reset passwords on an account by using the Active Directory Users and Computers snap-in, you may receive the following error message:
Windows can not complete the password change for user name because:
The password does not meet the password policy requirements. Check the minimum password length, password complexity, and password history requirements.

CAUSE

This behavior may occur if the Group Policy object for the user's organizational unit has the Minimum Password Age setting configured as Not Defined. The Default Domain Group Policy object is the default configuration container for users.

RESOLUTION

To resolve this behavior, configure the Minimum Password Age policy setting to 0 days. To do this, define the policy setting, and then configure it. The policy settings should be configured in the Default Domain Group Policy object for users.

To configure the policy setting, follow these steps:
  1. Open Active Directory Users and Computers management console.
  2. Right-click the name of the domain, and then click Properties.

    Note If users are configured to a specific organizational unit, select the organizational unit where the users reside.
  3. Click the Group Policy tab, click Default Domain Policy, and then click Edit. The Group Policy Editor opens.
  4. Expand Computer Configuration, click Windows Settings, click Account Policies, and then click Password Policy.
  5. Right-click Minimum Password Age, and then click Security.
  6. Click to select the Define this policy setting check box, and then set the counter to 0 days.

    Note0 days is the default policy setting in Default Domain Policy.
  7. After you set the Minimum Password Age setting, the Suggested Value Changes dialog box appears. It indicates that the Maximum Password Age setting will be changed to 30 days.

    If you do not change this value, every user who has a password that is 30 days and older receives an error message when they log on that states that their password has expired and that it has to be changed. To set a higher value, click the Maximum Password Age policy that is above the Minimum Password Age policy after the Minimum Password Age setting is applied, and then increase or reduce this setting according to your preferences.

    Note You cannot set the Maximum Password Age setting to 0. If you do, this setting will disable the Minimum Password Age policy.
  8. Click OK to close the Security Policy setting.
  9. Close Group Policy Editor and the Active Directory Users and Computers management console.
To update the policy setting, open a command prompt at the domain controller, and then run the following command:

secedit /refreshpolicy machine_policy /enforce

You may have to restart the domain controller for this policy to be updated.

MORE INFORMATION

If no Minimum Password Age setting is wanted, administrators may mistakenly configure this policy setting to "Not Defined". If this policy setting is not defined in Default Domain Policy, password changes cannot occur.

You can obtain more information about Group Policy for Microsoft Windows 2000 from the following locations:
Modification Type:MajorLast Reviewed:3/17/2006
Keywords:kbenv kberrmsg kbnetwork kbprb KB273004
©2004 Microsoft Corporation. All rights reserved.