New users unable to change password in Windows 10

michal 186 Reputation points
2021-02-01T23:17:12.49+00:00

Hello team,

there is a problem with password change for a newcomers in the company. I set up a password for the new user and ask him to change it. However, when they want to change it (CTRL+ALT+DEL), tgey got a message:

"Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain"

This seems to be only problem for newly created users as existing users do not report any issue with it.

FYI:
We have moved DC from on-prem to Azure couple of months ago. There is only 1 DC running in the AZURE. The two previous on-prem DC1 and DC2 are shut down (were not denoted yet). There is Azure AD Connect installed and configured on the DC in Azure and is syncing OK. The users are created in DC in Azure in Active Directory. All is working fine - syncing to O365 etc, the only problem is when they want to change the password. There is a Site-to-Site VPN from on-prem to Azure and the DC is reachable with no issue.

Here is what I've checked on the user's laptop so far:

  • set logonserver & gpresult /r - both are pointing to the DC in Azure
  • Checked "Default Domain Policy" and the setting is as below:
    Enforce password history 4 passwords remembered
    Maximum password age 90 days
    Minimum password age 10 days
    Minimum password length 8 characters
    Password must meet complexity requirements Enabled
    Store passwords using reversible encryption Disabled
  • on the DC in Azure, checked "Local Security Policy -> Security Settings -> Account Policies -> Password Policy" - has the same configuration as above

Any idea what could be wrong here? Again, this seems to be an issue only for newly created users :/

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
10,827 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,311 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,004 questions
0 comments No comments
{count} votes

Accepted answer
  1. Falcon IT Services 226 Reputation points
    2021-02-01T23:26:30.443+00:00

    Hello,

    In the password policies GP, check the minimum password age. New users that have newly minted passwords may not be able to change them until they reach the minimum password age. The minimum password age is used as a way to prevent users from circumventing the password history policy. Your policy shows a period of 10 days.

    Miguel Fra
    https://www.falconitservices.com

    0 comments No comments

4 additional answers

Sort by: Most helpful
  1. michal 186 Reputation points
    2021-02-02T00:16:50.953+00:00

    Hi.... it is set to 10. I've changed to 0 and will test it tomorrow ;)

    0 comments No comments

  2. Daisy Zhou 19,276 Reputation points Microsoft Vendor
    2021-02-02T07:46:12.973+00:00

    Hello @michal ,

    Thank you for posting here.

    I agree with Miguel Fra.

    As I understand, if the password for new user meets the length, complexity, or history requirements of the domain. It should be "Minimum password age 10 days" caused the problem.

    I did a test in my lab as below:

    Here is the domain password policy setting:
    PS C:\windows\system32> net accounts
    Force user logoff how long after time expires?: Never
    Minimum password age (days): 7
    Maximum password age (days): 999
    Minimum password length: 1
    Length of password history maintained: 24
    Lockout threshold: 2
    Lockout duration (minutes): 30
    Lockout observation window (minutes): 30
    Computer role: PRIMARY
    The command completed successfully.

    Test steps

    I create two domain user, one is daisy5 and the other is daisy6.

    Daisy5 with checking user must change password at next logon
    Daisy6 without checking user must change password at next logon.

    When I logs in one domain client with daisy5, it prompts I must change password. I can change the password for daisy5 successfully.

    62838-chh1.png

    When I logs in one domain client with daisy6, it does not prompts I muct change password. Then I change password but I can not.

    62884-chh2.png

    62901-chh3.png

    Hope the information above is helpful.

    Best Regards,
    Daisy Zhou

    0 comments No comments

  3. michal 186 Reputation points
    2021-02-02T09:23:41.987+00:00

    thank you both! The "minimum pass age" was the issue here.


  4. Sandro Alves 1 Reputation point
    2021-11-30T15:57:19.937+00:00

    Hi,

    I have the same problem in an environment with Windows 2012 and Windows 10 Workstations.

    "Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain"

    But my settings are not the following:

    C:\WINDOWS\system32>net accounts
    Force user logoff after expiration after: Never
    Minimum password duration (days): 0
    Maximum password duration (days): 30
    Minimum password length: 8
    Duration of password history: None
    Protection limit: Never
    Duration of protection (minutes): 30
    Protection observation window (minutes): 30
    Computer Function: Workstation
    Command completed successfully.

    I can only change the password using CMD with privilege.

    What could be wrong?

    Thanks.

    0 comments No comments