Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain

active-directory windows-server-2012-r2 adfs password-policy

33,564

Solution 1

Although I change the minimum password age in the password policy but I still had to change the minimum password age to 0:00:00 in the ADSI Editor for the DC i'm in.

@JimB and @Craig620, your help is greatly appreciated.

Solution 2

Domain controllers ignore password, lockout, or Kerberos policy settings defined at an organizational unit, such as the Domain Controllers OU.

You should define legacy password policies in the Default Domain Policy or another top-level GPO.

As a test I created password policy settings in both the Default Domain Policy and Default Domain Controllers Policy. See the Winning GPO:

Reference:

https://technet.microsoft.com/en-us/library/cc756064%28v=ws.10%29.aspx

33,564

user3340627

Updated on September 18, 2022

Comments

user3340627 over 1 year

I'm using federated identity for Office-365 single sign-on. I have added the password change endpoint to my ADFS 3.0 server, and successfully opened the adfs update password page. However, whenever I try to update the password I get the error above. I made sure of the following:

1- I made my password too complex, containing capital, small, number and non-alphanumeric character
2- I waited for 1 hour as I found that the minimum age for the password is 1 hour in the ADSI Editor

I opened Group Policy Management--> expanded my domain name --> Domain Controllers --> Default Domain Controllers Policy --> Right-Click Edit --> navigated to Password Policy. I found that all the Policy settings are set to "Not Defined".

I opened my ADFS server and opened Local Group Policy Editor --> navigated to Password Policy and the settings are as follows:

I made sure that my password complies with these settings:

When this policy setting is enabled, users must create strong passwords to meet the following minimum requirements:

Passwords cannot contain the user's account name or parts of the user's full name that exceed two consecutive characters.

Passwords must be at least six characters in length.

Passwords must contain characters from three of the following four categories:

English uppercase characters (A through Z).

English lowercase characters (a through z).

Non-alphabetic characters (for example, !, $, #, %).

What could be wrong that I can't update the password through the ADFS password change page?
- raja over 8 years
  
  Can you change the password to your requested password via a domain joined, on network system? That will isolate it to either the password or adfs.
- jojojoj over 8 years
  
  You can run RSOP.MSC to determine the name of the policy controlling passwords. After it runs, navigate to Computer/Windows/Security Settings /Account Policies/Password Policy. You may find it resides in "Default Domain Policy" instead of "Default Domain Controllers Policy". This could be more complex if you are using "Fine Granined Password" policies?
- user3340627 over 8 years
  
  Please bear with me as I don't have any previous experience in this. @JimB My attempt to change the password via ADFS page was while being connected to VPN. But I can reset the user password from the "Active Directory Users and Computers", and I can update it to the same exact password that doesn't work through ADFS page.
- user3340627 over 8 years
  
  @Craig620 I ran this on one of the computers in the network and the password policy settings are "Not Defined". I tried adding a new Group Policy for the specific OU i'm working on and set the Password Policy for it, then I right clicked on the OU --> All Tasks --> Resultant set of Policy and then navigated to the Password policy but still it was shown as "Not Defined"
- jojojoj over 8 years
  
  Settings from newly created/linked GPO's will not be applied until the machine updates policy (default once per 90 min). You can manually update with "GPUpdate /Target:Computer". However, your response to @JimB indicates this problem is probably not related to domain password policy and is most likely caused by something within ADFS.
Paul almost 8 years

Welcome to Server Fault! Your answer currently does not seem to provide a workable solution to the question and might be more appropriate as a question. Please read How do I write a good answer? and How do I ask a good question? Note that documentation review may be outside the scope of Server Fault. And don't forget to take the site tour.
HBruijn almost 8 years

Welcome to Server Fault! Whilst this may theoretically answer the question, please provide context around links so others will have some idea what it is and why it’s there. If possible summarise or quote the most relevant part of an important link, in case the target site is unreachable or goes permanently offline.