Symptom When you try to change the user password, you may receive the following error message:
The Password Cannot Be Changed At this time.
This error may occur when the user logs in to the client or server console.
When you use the "Active Directory user and computer" management unit to reset your account password, you may receive the following error message:
Windows Can Not Complete The Password Change for
User name Because:
The Password Does Not Meet The Password Policy Requirements.check The Minimum Password LENGTH, Password Complexity, and Password History Requirements.
Cause If the user organizes units
This issue may occur if the Group Policy object configures "password shortest retention period" to "undefined".
The default domain group policy object is the default configuration container for the user.
Solution To resolve this issue, configure the "Maximum Save Duration" policy setting to "0 days". To do this, define and configure the policy settings. The policy setting should be configured in the user's Default Domain Group Policy object.
To configure this policy setting, follow these steps:
Open the "Active Directory User and Computer" management console. Right click on the name of the domain and click Properties. Note: If the user is configured into a specific organizational unit, select the organization unit where the user is located. Click Group Policy tab, click the default domain policy, and then click Edit. The Group Policy Editor will open. Expand your computer configuration, click Windows Settings, Account Policy, and Password Policy. Right-click the shortest retention period, then click Security. Click to select the "Define this Policy Settings" check box and set the counter to "0 days". Note: "0 days" is the default policy settings in the Default Domain Policy. After setting the shortest retention period of the password, the suggested numerical modified dialog will appear. It points out that the maximum retention period setting for password will change to 30 days. If this value does not change, when all the password retention period is 30 days or longer users log in, it will receive an error message, indicating that their password has expired, and the password must be changed. To set a larger value, after the shortest retention period settings are set, click the password for the shortest retention period, then add or reduce the settings according to your preferences. Note: You cannot set the maximum deposit period of the password to 0. If this is done, the "password shortest retention period" policy will be disabled. Click OK to close the Security Policy settings. Close Group Policy Editor and "Active Directory User and Computer" management console. To update the policy settings, open the command prompt on the domain controller, then run the following command:
Secedit / RefreshPolicy Machine_Policy / Enforce may have to restart domain controllers, which will be updated.
More information
When you don't need a "password shortest retention period" setting, administrators may incorrectly configure this policy setting to "undefined". If this policy setting is not defined in the Default Domain Policy, you will not be able to change your password.
Scope of application
This article applies to the system self-installation strategy after installing AD under Win2003 / Win2000, causing not adding users or modifying user passwords.
-------------------------------------------------- ---
Kangsoft@hotmail.com QQ: 435578
