I have three DCs in my domain in a single site. I had implemented a Group Policy in the domain for Account Policies in Default Domain Policy | Windows Settings | Security Settings | Account Policies | Password Policy for the following:
Enforce password history - 8 Maximum password age - 42 Minimum password age - 30 Minimum password length - 6 Passwords must meet complexity requirements - Enabled Store password using reversible encryption for all users in the domain? Enabled
However, for some reason I have to revert my password policy. I really need this since one of my users needs a recent five-lettered password. Whenever I attempt to change the password, an error (shown below) is displayed:
"Windows cannot complete the password change for userX because: The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements."
The current configuration settings of all three security policies (Domain Security Policy, Domain Controller Security Policy and Local Security Policy) are as follows: Enforce password history - not defined Maximum password age - not defined Minimum password age - not defined Minimum password length - not defined Passwords must meet complexity requirements - not defined Store password using reversible encryption for all users in the domain - not defined
I have also tried disabling the policy but I have been unsuccessful. Please help me revert the policy to the initial group policy that was without any restrictions.
The only Group Policy Object that can affect the Account Policy settings is the Default Domain Policy. The system ignores Account Policy settings made anywhere else. The local settings you see in the specialized consoles in the Administrative Tools menu are overridden by the Default Domain GPO.
So, the first thing to do is change the Default Domain GPO policy settings for the Account Policies to the settings you want and run "secedit/refreshpolicy machine_policy." Then shutdown and restart the client's machine and see if he is now able to change his password to the five-character password.
If he cannot, make sure that he is connected to the network. If he logs on with cached credentials, then your policy change will not be seen.
This was first published in July 2001