3

I have one user in my AD domain who seems to not be able to self-select a password. I may have another one, but they're on a different enough password-expiration schedule that I can't remember who it is right now.

I can set a password via ADU&C just fine, but when he tries it via C-A-D he gets the "doesn't meet complexity" message. Figuring he was just doing something like 'pAssword32', I did some troubleshooting of my own and sure enough it doesn't want to take a password that way.

He's one of our users that habitually uses a local account and then maps drives using his AD credentials so he doesn't get the your password will expire in 4 days, maybe you should change it prompts, so he's a frequent "my password expired, can you fix it" flyer.

I don't want to keep having him set it via ADU&C over my shoulder every N days. I'm just fine setting temp passwords of 48 characters of keyboard-slamming and letting him change it something memorable.

My environment is at the Windows 2008 R2 functional level, and I am using fine-grained password policies. In fact, I have two such policies:

  1. For normal users (minimum length, remembered passwords)
  2. For special utility accounts

The password complexities I've tried match both policies for length and char-set selection.

The permissions on the User object themselves look normal, SELF does indeed have the "Change Password" right.

Is there some other place I should be looking for things that can affect this?

Blue Warrior NFB
  • 621
  • 6
  • 17
  • 5
    this is problem #1 "He's one of our users that habitually uses a local account" how did this local account get created? And why is he allowed to use it? – tony roth Nov 27 '12 at 16:09
  • @tonyroth Don't get me started on our Mac users, and the two Linux-heads. They're just as bad, but don't have this problem. This is why I'm writing a "your password is about to expire, you should change it" auto-mailer script. – Blue Warrior NFB Nov 27 '12 at 16:12
  • 1
    also if he's logged in locally and doing a cad then he's changing his pw of his local account that he shouldn't have, notthe domain account. – tony roth Nov 27 '12 at 16:12
  • lol now I understand! forget all my comments and just give up if you need to support mac's. – tony roth Nov 27 '12 at 16:13
  • Look for consecutive characters in both the password and user name **or** description field. With my frequent "reset my password, ZOMG!!!!1" lusers, I wait an additional day for every past request they've put in. As motivation. – HopelessN00b Nov 27 '12 at 16:14
  • @HopelessN00b a real BOFH!!! lol... – tony roth Nov 27 '12 at 16:16
  • @HopelessN00b Thing is, I can replicate this problem on my own (with his account of course) using passwords I create myself. An example of one that just failed: alph43BEMZsplater#akafdtgh5iyjhjsw – Blue Warrior NFB Nov 27 '12 at 16:22
  • ok for the mac and linux user the pw expire script is moderately a good idea, but the windows users should not be allowed to use a local accounts. How did this local account get created, let me guess they are admins on their workstations right? – tony roth Nov 27 '12 at 16:31
  • create a temp domain account assign a temp pw with change on next login then use the alph43BEMZsplater#akafdtgh5iyjhjsw pw what happens? – tony roth Nov 27 '12 at 16:32
  • @tonyroth Which I did, and replicated, so I went back to the fine-grained policies to see if I missed anything... and see answer. – Blue Warrior NFB Nov 27 '12 at 16:57
  • @tonyroth Nah, that's not BOFHing, that's the IT equivalent of an "idiot tax." As, priority goes to the users who don't continually cause their own problems through a shortage of functional neurons. Users who do cause their own problems from a lack of functional neurons get negative priority. I fix computer systems, I don't fix stupid. – HopelessN00b Nov 27 '12 at 18:24
  • @HopelessN00b lol I do that a lot also, if I could get a penny for every id10t tax issued, I'd be richer then I should be. – tony roth Nov 27 '12 at 18:53
  • Why not just join the macs to the windows domain. The user can use their domain account directly, getting around this local account problem, the mac can be set to cache credentials for when they're off the network just as a windows machine can be, and the user will get warnings of password expiration. I do this for about 80 or so macs on our network and it works just fine. This is an educational network so these 80 macs are used by 100s of roaming users, not hjust the same 80 users on a one to one basis, so I feel that the concept is well tested with us. – Rob Moir Nov 27 '12 at 19:47
  • @RobM As it happens, most of my Mac users are running a Windows VM (or two) and occasionally get the expiry notice. They generally don't access the AD resources directly from their Macs. This is an application-oriented AD domain, not a Central IT domain so the strong command-and-control model is... not so strong here. – Blue Warrior NFB Nov 27 '12 at 23:11

1 Answers1

5

It turns out I was insufficiently observant, overly paranoid, or perhaps a bit... BOFHy when I set the fine-grained password policies. Looking closely at them (ADSI edit is not a great interface for that, too much other stuff) I noticed that I am setting a minimum password age.

Apparently, admin-resets do indeed reset this aging timer to zero.

Apparently, Windows reports the password-complexity error when it is too soon to reset a password.

Unless I want to change it, my "reset me!" users will have to put up with (for example) 2 days of the impossible-to-remember-but-very-long-password dunce-cap before they can set it to something they can remember.

Maybe this is just the hammer I need to urge them into straight up domain accounts.

Blue Warrior NFB
  • 621
  • 6
  • 17