Symptoms:
After enabling “Password must meet complexity requirements” in the Active Directory Default Domain Policy administrators and users may receive the following error message when changing or setting the password.
“The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements.”
Cause:
By enabling “Password must meet complexity requirements” a rule is enforced requiring that “the password must NOT contain all or part of the users account name.”
By definition the “users account name” is stored in both of the following fields.
|
Active Directory Field Name |
ADSI Property Name |
|
Display Name |
displayName |
|
Pre-Windows 2003 Logon Name |
samAccountName |
Screen shots showing the relationship between Active Directory Users and Computers and the ADSI properties.
Resolution:
Select one of the following:
1) Change the new password so it does not contain any word in these two fields.
2) Change these two fields so it does not contain the word used in the new password.
More Information:
While the Microsoft Windows 2003 documentation clearly states that the password can not contain even “part of the users account name” under testing with a 7 character user name (stored in both fields) I successfully created passwords with the first 6 characters of that user name.
These two fields and this policy are carried forward from the NT4 (and prior) domain implementation.
These fields were determined by testing on a Windows 2003 domain running in Windows 2000 Native Mode.