# [SOLVED] Cannot Create New User Account - Password Issue



## napergman

I am unable to create a new user account because the password does not meet the group policy requirements. I am using Windows Server 2003. See attached error message.

I have checked out the Group Policy parameters and it is set for 7 characters, with no other restrictions. I am checking the Default Domain policy (Account Policy/Password Policy) (see attachment) for the domain that I just created. If I delete the policy (nothing defined) I still get the same message. Where else are password policies stored? I have tried passwords that are 8 and 15 characters with both upper and lower case digits and numbers. These passwords would pass 99.9% of the password policies in the world *smile*

I just bought this server. It had been used but there was virtually nothing configured when I got it (no server roles were defined). I have configured the server with Active Directory and DNS roles. This is the FIRST User account that I am trying to set up. 

Thanks in advance for your help.


----------



## loda117

*Re: Cannot Create New User Account - Password Issue*

chekc this out
Configuring Password Policy Settings in an Active Directory-Based Domain


----------



## Wand3r3r

*Re: Cannot Create New User Account - Password Issue*

you have password complexity as enabled. Lenght isn't your issue. Complexity is.


----------



## tcolvinMI

*Re: Cannot Create New User Account - Password Issue*

Also keep in mind that with password complexity turned on, you cannot use the username within the password. Microsoft's password complexity, by default requires any three of the following four requirements
- Uppercase Letters
- Lowercase Letters
- Numbers
- Special Characters

I also notice you have the minimum length enabled, as well as password history. Even with password complexity turned off, these requirements will still be enforced. If you want to completely remove the requirements, you need to disable the password complexity, set the minimum password length to zero and set the number of passwords remembered also to zero. 

When you go to set these settings, there is a tab at the top of each setting that explains what the setting does and what the different default values mean. Also keep in mind that the defaults are different for domain controllers vs member servers.


----------



## napergman

*Re: Cannot Create New User Account - Password Issue*

I think that the issue was Complexity. I was not meeting the complexity requirements; most of the passwords that I used had only lower case alpha and numbers so I wasn't meeting 3 of the 4 parameters. I also did not realize that Complexity was still in effect if password length was not set to zero. 

I also read in another post that the group policy must be refreshed (gpupdate from the command line) after changes are made. I had rebooted once or twice (in desperation) during my "testing" which of course would have done the same thing. Can anyone confirm the need to refresh the policies. Thanks.


----------



## napergman

*Re: Cannot Create New User Account - Password Issue*

I did some further testing and I think I have finally figured out how password policies function. I changed all password parameters to "not defined" in the group policy. See attached screen shot. 

I updated the policies (gpupdate /force) and tried to enter a new user with the password 'short'. This obviously does not meet the 3 of 4 complexity requirements but it shouldn't matter since all parameters are "not defined". I got the password complexity error. 

I then tried 3 other passwords, each 7 characters in length but increasing the number of met complexity parameters. I used 'shortee' (1 of 4), 'shorty1' (2 of 4) and 'Shorty1' (3 of 4). The last password worked. For grins, I also created a user account using the password, "$horty1" and of course it worked. To clarify, this is a domain controller. 

So it appears that even if the password policy parameters are "not defined", the complexity defaults still must be met. Please confirm this and comment if you'd like. Thanks.


----------



## tcolvinMI

*Re: Cannot Create New User Account - Password Issue*

When you go to change the password complexity setting, there are two tabs presented to you. If you click on the second tab which should say "Explain this setting", you'll find the following statements...



> _Password must meet complexity requirements
> 
> This security setting determines whether passwords must meet complexity requirements.
> 
> If this policy is enabled, passwords must meet the following minimum requirements:
> 
> Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
> Be at least six characters in length
> Contain characters from three of the following four categories:
> English uppercase characters (A through Z)
> English lowercase characters (a through z)
> Base 10 digits (0 through 9)
> Non-alphabetic characters (for example, !, $, #, %)
> Complexity requirements are enforced when passwords are changed or created.
> 
> 
> 
> Default:
> 
> *Enabled on domain controllers.*
> Disabled on stand-alone servers.
> 
> Note: By default, member computers follow the configuration of their domain controllers.
> _


The default value for a domain controller is Enabled. If you specifically set it to Disabled, it should disable the password complexity requirements. Although, I would suggest leaving these on. What does it really hurt?


----------



## napergman

*Re: Cannot Create New User Account - Password Issue*

TcolvinMI - Thanks for your continued comments on this thread. I guess my point (and request for confirmation) is that I can't find any way to DISABLE Complexity for a Domain Controller. There appears to be NO way to do this. I try to read the available documentation when I run into a problem and as far as I can tell, the documentation is incomplete (or arguably, incorrect) when it comes to Password Policy. 

To your last comment, I am attempting to learn Windows Server (2003) so this is primarily academic at this point. I have a Dell PowerEdge server and 4 Windows XP/7 clients connected to it. I think that password complexity is invaluable in pc/network security and would never disable it in the real world environment. I hope that this makes some sense. Thanks :smile:


----------



## napergman

*Re: Cannot Create New User Account - Password Issue*

Wand3r3r and Loda117, can you confirm that it is not possible to disable Password Complexity on Windows Server 2003? (see my earlier post describing my findings) Can you also comment on this relative to Server 2008 as well.


----------



## IT-Barry

*Re: Cannot Create New User Account - Password Issue*

Disable Password Requirements in Windows Server 2003 Domains

Can try the above.

Give the gpo time to apply.


----------



## napergman

*Re: Cannot Create New User Account - Password Issue*

IT-Barry. Thank you for your post. It took me a while to get to it for many reasons. This was exactly what I was looking for. I learned a great deal from the link and my own experimenting. Thanks again.
Cheers :smile:


----------

