FGPP not allowing me to reset my password

dmf10e 1 Reputation point

I have an environment that is running Server 2016. I set up a FGPP with a minimum password age of 1 day, but its not allowing users to change the password. I get the does not meet requirements message. I have narrowed the issue down to minimum password age. When I add the user ID (as part of security group) to the FGPP, it seems like its resetting the "last changed password" date/time counter to 1 day from the time I add it to the policy. When I wait 24 hours from that time, It allows me to reset, but not before. If I do not enforce a minimum password age, I can change the password, naturally.
To skip some going back and forth here are answers to the questions you will ask me next:

  1. Password was last reset 1 month ago.
  2. "User cannot change password" is unchecked.
  3. I can't force a reset on next logon because it breaks VPN.
  4. This is also the one and only policy that is set, so there isn't a conflict.

Anyone know what would cause this issue?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,543 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Fan Fan 15,276 Reputation points Microsoft Vendor


    Before going further ,I would like to confirm one more question:
    it is not allowed to reset the password from the ADUC, or it is now allowed to change the password on the workstation by pressing Ctrl+Alt+Del)?

    From the test i did in my lab, no matter how long you configured the minimum password age, it will not effect you reset the password from the ADUC .You can reset the password whenever you want.

    But it will effect the time you change the password when you logon to the workstation ,the minimum password age (counted from the time Password last set) should pass at least the time you set ,then you can change it.

    One more question: the result you provided below was get from the net user command, right?
    Based on my experience, the net user command can only get the group policy result , can't get the result from fgpp.
    So your domain policy also configure the minimum password age to one day, you can check that on the default domain policy GPO.

    Note: sorry for the unclear words, "age for the user's account",i mean the age for the password.

    Best Regards,

  2. dmf10e 1 Reputation point

    @Fan Fan Resetting password in ADUC works. It's only resetting a password through ctrl+alt+del. Yes, that screenshot was pulled from Net User. I'm aware that that info only gets pulled from the DDP. But I included it to show when the password was last reset. So, its been a few days, since I performed the policy add, etc. but the DDP is set to minimum 1 day and expiration is 90 days. Assume only the DDP is being enforced at this time...Using those dates above, I last reset my password on 10/9 11:36 am and was eligible to reset on 10/10 11:36am. I then added the user to the security group, the FGPP was being applied to on 10/11 (so eligible to reset using longer password requirement) and its not letting me reset (thru ctr+alt+del) until 10/12. I will mention this, because I found while testing. Even though I wasn't able to reset password, when I attempted to reset the password, and got the "unable to" message, I ran the "Net User" command and it showed last password change as the date/time I attempted to change the password but wasn't able to.

    It only seems to happen once. If I remove the user from the group and add back the next day, I don't have to wait another 24 hours before I can change it (assuming its been a minimum of one day since last reset. Very weird scenario.

    It's only happening in this Enterprise environment I'm working in. In my test lab, the behavior is what's it's expected to be.