Strange active directory password complexity issue

Amit 26 Reputation points
2021-02-02T07:54:21.34+00:00

Hi,
I have a strange problem with active directory password complexity.
The password complexity policy ("Password must meet complexity requirements" = enabled) applies correctly when a user tries to change a password by pressing "Alt + Ctrl + Del".
But when I force the user to change a password he can change to a password that is not complex, It also happens that the password has expired and in the next login it is required to change the password.
Someone is having a similar problem? How can this be solved?
Some details about the environment:
Domain Controller windows server 2016
Functional level 2016

Thanks

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,993 questions
{count} vote

Accepted answer
  1. Hannah Xiong 6,231 Reputation points
    2021-02-03T06:00:53.567+00:00

    Hello,

    Thank you so much for your feedback.

    The Passwords must meet complexity requirements policy setting determines whether passwords must meet a series of strong-password guidelines. When enabled, this setting requires passwords to meet the following requirements:

    1,Passwords may not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Both checks are not case-sensitive.
    2,The password contains characters from three of the following categories:

    Uppercase letters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
    Lowercase letters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
    Base 10 digits (0 through 9)
    Non-alphanumeric characters (special characters): (~!@#$%^&*_-+=`|(){}[]:;"'<>,.?/) Currency symbols such as the Euro or British Pound aren't counted as special characters for this policy setting.
    Any Unicode character that's categorized as an alphabetic character but isn't uppercase or lowercase. This group includes Unicode characters from Asian languages.

    Reference: https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements

    So that is to say, the password could contain the special characters, or it could not contain the special characters if it contains the other three of the categories as mentioned above.

    Hope I could make it clear to understand. We could kindly have a recheck again.

    For any question, please feel free to contact us.

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


2 additional answers

Sort by: Most helpful
  1. Hannah Xiong 6,231 Reputation points
    2021-02-02T08:51:29.447+00:00

    Hello,

    Thank you so much for posting here.

    Yeah, it is a little strange. The setting (Password must meet complexity requirements) is in effect immediately, but users are not impacted until a password change occurs. So when the user is trying to change the password, the setting will be applied.

    After deep research, hope something here might be helpful. We could kindly have a check.
    https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/the-strange-case-of-unenforced-password-complexity/ba-p/396400

    Besides, have we configured Fine-Grained Password Policies for the specific user? To check whether configured or not, we could use the below powershell command.
    Get-ADUserResultantPasswordPolicy username

    Here is the result of the command if the user was configured the FGPP. (If the user was not configured the FGPP, the result will show nothing.)

    62857-11.png

    For any question, please feel free to contact us.

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

  2. Hannah Xiong 6,231 Reputation points
    2021-02-08T06:08:00.627+00:00

    Hello,

    You are welcome. Thank you so much for your kindly reply.

    We cannot edit the password complexity rules. We need to create our own password filter to replace the default.

    https://learn.microsoft.com/en-us/windows/win32/secmgmt/password-filters

    Others also had the same issue and we had discussed about this before. We could kindly have a check.

    https://learn.microsoft.com/en-us/answers/questions/118459/custom-change-in-39password-must-meet-complexity-r.html

    For any question, please feel free to contact us.

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.