Error when trying to reset a password when Fine Grained Password Policies (FGPP) are in effect
December 6, 2011 2 Comments
I had created a Fine Grained Password Policy (FGPP) which, among other things, turned off the requirement for complex passwords. I had applied this policy to users through a group. When I tried to reset the password of one of the users for which this FGPP applied, Active Directory Users and Computers would give me this error:
—————————
Active Directory Domain Services
—————————
Windows cannot complete the password change for <user> because:
The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements.
—————————
OK
—————————
Originally I though that my password did in fact violate my FGPP, but after testing this further I concluded that it was something else. After a bit of looking I discovered that this domain was in Windows Server 2003 Functional Mode. A requirement for FGPP is at least Windows Server 2008 Functional Mode. After changing it to Windows Server 2008, the FGPP took effect and I could reset my passwords.
Perhaps the *-ADFineGrainedPasswordPolicy cmdlets should check the domain functional level. At least New-ADFineGrainedPasswordPolicy should display a warning if the domain is not at the required level. The requirement is listed in the Step-by-Step guide (thank you PTS), but I didn’t catch that this time.
References:
Says right here http://technet.microsoft.com/en-us/library/cc770842(WS.10).aspx
“For the fine-grained password and account lockout policies to function properly in a given domain, the domain functional level of that domain must be set to Windows Server 2008.”
So it does, my friend. Thank you.