I've seen this issue come up, but no answers seem to be applicable. When a user tries to change their password using control-alt-delete -> change password, they're getting a "Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain." We've even tried extremely long complex strings as tests, which also generates the error message.

In AD U&C, I can force the account password to be changed on next logon, which works successfully.

The applicable security setting is applied at the domain level in the Default Domain Policy GPO. When I run a gpupdate /force and then view the RSOP on one of the workstations, I can see the settings below (which are consistent with the GPO):

  • Enforce Password History: 2 passwords remembered
  • Maximum Age: 120 days
  • Minimum password age: 0 days (this is enabled and set to 0 days in the GPO)
  • Minimum Length: 6 characters
  • Password must meet complexity requirements: disabled
  • Store passwords using reversible encryption: disabled

I've run a dcdiag against our DC's. They pass all tests. Any suggestions on why this problem might be occurring, or how to remedy it?

  • 7,355
  • 16
  • 54
  • 72
  • 21
  • 1
  • 2
  • After running RSOP on the DC, all settings were listed as "Not defined". If I run "net accounts" on the DC, I can see that it has a minimum password age of 30 days. I've checked both GPO's that apply to the domain controllers (Default domain policy, and Default Domain Controller Policy. Both policies are set to have a minimal age of 0 days. I did a gpupdate /force on the DC, and ran net accounts, and it is still displaying a 30 day minimum age. – newevox Aug 20 '13 at 14:52

3 Answers3


It appears that your default domain policy is enforcing minimum password complexity- you will probably need to edit Group Policy if you want to change this behaviour.

From Microsoft:

"Password must meet complexity requirements

This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords. By default, the value for this policy setting in Windows Server 2008 is configured to Disabled, but it is set to Enabled in a Windows Server 2008 domain for both environments described in this guide.

When this policy setting is enabled, users must create strong passwords to meet the following minimum requirements:

Passwords cannot contain the user's account name or parts of the user's full name that exceed two consecutive characters.

Passwords must be at least six characters in length.

Passwords must contain characters from three of the following four categories:

English uppercase characters (A through Z).

English lowercase characters (a through z).

Non-alphabetic characters (for example, !, $, #, %).

Each additional character in a password increases its complexity exponentially.

For instance, a seven-character, all lower-case alphabetic password would have 267 (approximately 8 x 109 or 8 billion) possible combinations.

At 1,000,000 attempts per second (a capability of many password-cracking utilities), it would only take 133 minutes to crack such a password.

A seven-character alphabetic password with case sensitivity has 527 combinations.

A seven-character case-sensitive alphanumeric password without punctuation has 627 combinations.

An eight-character password has 268 (or 2 x 1,011) possible combinations. Although this might seem to be a large number, at 1,000,000 attempts per second it would take only 59 hours to try all possible passwords.

Remember, these times will significantly increase for passwords that use ALT characters and other special keyboard characters such as "!" or "@".

Proper use of the password settings helps to prevent the success of a brute force attack."

Source: http://technet.microsoft.com/en-us/library/cc264456.aspx

Austin ''Danger'' Powers
  • 1,160
  • 6
  • 20
  • 50

I see you have run the RSOP on the workstation. This will affect local accounts, but if the password being changed is a domain account it will be validated against the RSOP on the domain controller processing the password change if I recall.

Additionally, it is possible to write third-party plugins which validate password complexity using the windows API. Hitachi ID Systems publishes one such component (which queries a remote server to check whether the password meets the rules set out there); when such a plugin rejects the password it looks identical to what happens when the Windows builtin 3-of-4 complexity rule rejects it. You should investigate as to whether you have such things in your environment (they would be installed on the DCs) and if they are, either determine what is wrong with them, or get rid of them.

That said, since forcing a password change fixes the problem, it's probable that the issue is that a minimum age rule is getting applied. Check the RSOP on the DC for this.

Falcon Momot
  • 24,975
  • 13
  • 61
  • 92

Confirm that, no fine grained password policies is created or applied for that particular user account (If the functional level is 2008 or later). Check msDS-resultantPSO attribute for the user, it contains the applied fine grained password policy for the corresponding user. msDS-resultantPSO is a constructed attribute. If the attribute is not available is not available, default domain policy is applied.

  • 1
  • 2