When you try to change a user's password, you may receive
the following error message:
The password cannot be
changed at this time.
This error can occur when the user is logged
on to a client or to the server's console.
you reset passwords on an account by using the Active Directory Users and
Computers snap-in, you may receive the following error message:
can not complete the password change for user name
The password does not meet the password policy requirements.
Check the minimum password length, password complexity, and password history
This behavior may occur if the Group Policy
object for the user's organizational unit has the Minimum
setting configured as Not Defined
. The Default Domain Group Policy
object is the default configuration container for users.
To resolve this behavior, configure the Minimum
policy setting to 0 days
. To do this,
define the policy setting, and then configure it. The policy settings should be
configured in the Default Domain Group Policy object for users.
configure the policy setting, follow these steps:
- Open Active Directory Users and Computers management
- Right-click the name of the domain, and then click Properties.
Note If users are configured to a specific organizational unit, select
the organizational unit where the users reside.
- Click the Group Policy tab, click Default Domain Policy, and then click Edit. The Group Policy Editor opens.
- Expand Computer Configuration, click Windows Settings, click Account Policies, and then click Password Policy.
- Right-click Minimum Password Age, and then click Security.
- Click to select the Define this policy
setting check box, and then set the counter to 0
Note0 days is the default policy setting in Default
- After you set the Minimum Password Age setting, the Suggested Value Changes dialog box appears. It indicates that the Maximum Password Age setting will be changed to 30 days.
If you do not
change this value, every user who has a password that is 30 days and older
receives an error message when they log on that states that their password has
expired and that it has to be changed. To set a higher value, click the Maximum Password Age policy that is above the Minimum Password Age policy after the Minimum Password Age setting is applied, and then increase or reduce this setting
according to your preferences.
Note You cannot set the Maximum Password Age setting to 0. If you do, this setting will disable the Minimum Password Age
- Click OK to close the Security Policy setting.
- Close Group Policy Editor and the Active Directory Users and Computers management
To update the policy setting, open a command prompt at the
domain controller, and then run the following command:
secedit /refreshpolicy machine_policy /enforce
You may have to restart the domain controller for
this policy to be updated.
If no Minimum Password Age setting is wanted,
administrators may mistakenly configure this policy setting to "Not Defined".
If this policy setting is not defined in Default Domain Policy, password
changes cannot occur.
You can obtain more information about Group
Policy for Microsoft Windows 2000 from the following locations:
Article ID: 273004 - Last Review: March 1, 2007 - Revision: 7.4
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
|kbenv kberrmsg kbnetwork kbprb KB273004|