Troubleshooting Microsoft AD Spoke Password Policy Issues - Support and Troubleshooting

Troubleshooting Microsoft AD Spoke Password Policy Issues Instructions The actions which depend on password policies may fail because of issues in the policies.

Reset AD User Password Change User Password

What is Password Policy and where to check for policy on domain controller?

A password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly. A password policy is often part of an organization's official regulations and may be taught as part of security awareness training. Either the password policy is merely advisory, or the computer systems force users to comply with it. Some governments have national authentication frameworks that define requirements for user authentication to government services, including requirements for passwords. Following is the reference,

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/password-policy

Using Group Policy Management Console, configure the policy settings in the following location. For more information, see Group Policy Management Console

Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy

See the following topics from Microsoft Documentation for detailed information on password policy management

Topic

Description

Enforce password history

Describes the best practices, location, values, policy management, and security considerations for the Enforce password history security policy setting.

Maximum password age

Describes the best practices, location, values, policy management, and security considerations for the Maximum password age security policy setting.

Minimum password age

Describes the best practices, location, values, policy management, and security considerations for the Minimum password age security policy setting.

Minimum password length

Describes the best practices, location, values, policy management, and security considerations for the Minimum password length security policy setting.

Password must meet complexity requirements

Describes the best practices, location, values, and security considerations for the Password must meet complexity requirements security policy setting.

Store passwords using reversible encryption

Describes the best practices, location, values, and security considerations for the Store passwords using reversible encryption security policy setting.

Common Errors:

The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements

Troubleshooting: Make sure that your password meets the password policy requirements.

A constraint violation occurred. (Exception from HRESULT: 0x8007202F) HRESULT: [-2147016657]

There may be several reasons for the error. Try the following troubleshooting steps.

If the user account is locked, you cannot use the ChangePassword() method. Instead, you can use the SetPassword() method.

This may go without saying, but if your domain has a password policy in place, be sure the new password meets the length, complexity and age requirements that have been set. If you don't know the requirements, use " rsop.msc " as well as " gpedit.msc " and look under "Computer Configuration\Windows Settings\Account Policies\Password Policy\"

Check to make sure the " User Cannot Change Password " option is not checked in active directory.

Check AD permissions to make sure the user changing the password (if not impersonating) is able to do so for the target user. also agreed that targetign Computer Account objects cannot use ChangePassword().

Try changing the password for the user organically using the same old/new passwords to make sure the process works outside of the code. By organically, I mean login to a computer/server as the target user.

Ref Link: https://social.msdn.microsoft.com/Forums/vstudio/en-US/f10f4ee4-4d5b-48c8-8055-068a03f98fe5/ad-lds-cannot-changepassword-but-it-can-setpassword?forum=csharpgeneral