Cannot Reset Passwords by Using the Active Directory Users and Computers Snap-in (282171)

SYMPTOMS

When you reset passwords on an account by using the Active Directory Users and Computers snap-in, you may receive the following error message

Windows can not complete the password change for Userx because:
The password does not meet the password policy requirements. Check the minimum password length, password complexity, and password history requirements.

CAUSE

This behavior can occur if one of the following conditions are true:

Your password is too short according to the password length policy.
Your password does not contain a capital letter and a number.
The password you have chosen has been used more than the number of times the password history requirement specifies.
The domain security password policy is too restrictive for the password that you are trying to reset.
The policy is unavailable, and it has not been applied to the domain controller that is being used to reset the password.
The password policy was applied but it was not defined.

RESOLUTION

To resolve this issue, follow these steps to determine which of the password policy requirements have not been met:

Start the Local Security Policy snap-in and view the effective settings.
If the effective settings are different from your desired setting, check the default domain policy for the domain.

NOTE: The steps to check the default domain policy are included later in this article.
If the effective setting is set to not-defined, then you must check the domain policy setting. Ensure that the policy has not been enabled before you set it to not-defined.
If the default domain policy is set correctly, but the effective settings do not reflect those changes, refresh the policy on the domain controller.

NOTE: The steps to refresh the policy on the domain controller are included later in this article.

Account policies that are included in the security policies for domain accounts can only be applied at the domain level. When you assign security policies at any other level, the policies are not applied.

MORE INFORMATION

To verify the domain security settings password, follow these steps:

Start the Active Directory Users and Computers snap-in.
Right-click the name of the domain, and then click Properties.
Click the Group Policy tab, click Default Domain Policy, and then click Edit. The Group Policy Editor starts.

NOTE: Security policies can only be applied at the domain level.
Double-click Computer Configuration, click Windows Settings, click Account Policies, and then click Password Policy.
Check the following settings: Minimum Password Length, Password History, and Password Complexity. Double-click each policy to view and edit each setting.
Click OK.
Quit the Group Policy Editor and the Active Directory Users and Computers snap-in.

Updating the Policy Setting

To update the policy setting, follow these steps to refresh the computer policy on a domain controller:

Start a command prompt on the domain controller.
Type secedit/refreshpolicy machine_policy /enforce.
The following message is displayed:
Group policy propagation from the domain has been initiated for this computer. It may take a few minutes for the propagation to complete and the new policy to take effect. Please check Application Log for errors, if any.

NOTE:It may be undesirable to modify the default domain policy. As an alternative way to accomplish this, create a new group policy object at the domain level and call it Password Restrictions(for example). Set the desired Password limitations in that policy. Then be sure to set the new policy to "No Override" so that the default domain policy does not override it.