You are currently offline, waiting for your internet to reconnect

Changing The Krbtgt Password May Fail When A Custom Password Filter Is Installed

Support for Windows Server 2003 ended on July 14, 2015

Microsoft ended support for Windows Server 2003 on July 14, 2015. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

If a custom password filter (i.e., passfilt.dll) is installed on a domain controller you may receive the following error when trying to change the password for the krbtgt account.


The password does not meet the password policy requirements. Check the minimum password length, password complexity, and password history requirements.

This occurs because there is special logic when changing the password for krbtgt. While the Active Directory Users and Computers (dsa.msc) snap-in allows you to enter a password, it won't be used when changing the password. Instead, the Active Directory creates a very long string of random bits to use as the password. Since this string contains random data and not Unicode characters, it fails the typical tests included in password filters. These tests typically include checking to see if password contains a certain combination of upper and lower case letters, numbers, and punctuation.

To workaround this issue either include a test for random data or special case the account name krbtgt and return TRUE indicating that the password meets the required complexity.
Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Article ID: 2549833 - Last Review: 05/10/2011 15:56:00 - Revision: 1.0

Microsoft Windows Server 2003, Standard Edition (32-bit x86), Microsoft Windows Server 2003, Standard x64 Edition, Microsoft Windows Server 2003 R2 Datacenter Edition (32-Bit x86), Microsoft Windows Server 2003 R2 Datacenter x64 Edition, Microsoft Windows Server 2003 R2 Enterprise Edition (32-Bit x86), Microsoft Windows Server 2003 R2 Enterprise x64 Edition, Windows Server 2008 Datacenter, Windows Server 2008 Enterprise, Windows Server 2008 Standard, Windows Server 2008 R2 Datacenter, Windows Server 2008 R2 Enterprise, Windows Server 2008 R2 Standard

  • KB2549833