Description of Issue
End Users are receiving an error message when attempting to reset their password from the Mobile or Web App. This appears immediately after tapping the Reset Password button/link.
Cause
AD Password Policy doesn't match the Minimum requirements for Azure/O365.
Microsoft's Minimum Password requirements are
Minimum Password Length - 8 or more
Password Complexity - Enabled
Enforce Password History - 1 or more
Account Lockout Threshold - between 1 and 10
Resolution
- Check the Quickpass Password Settings link on the Dashboard for the affected Customer to ensure that Quickpass is reading the correct Policy from Active Directory
- If this displayed password matches the Active Directory Policy on the Domain Controller password Policy, adjust the AD Policy settings to at least the values listed above.
- If this Password Policy does not match what the Password Policy for the Domain is
This can be caused by a number of things:
- Setting the Group Policy to "undefined"
- Group Policy is essentially a way of pushing registry entries onto the machines that have policy assigned to them.
- This means if you set a Password policy (it is actually a Computer policy) to any value, that policy is set to a specific value in the registry.
- Future changes to the Policy adjust that registry value.
- Setting a policy to "not defined" will simply stop adjusting the value any further. Any value that was set prior to that is now "tattooed" onto the registry with whatever value was last set.
- If this is the policy changes that were made, instead of having the values set to Undefined, change them to a set value - usually 0 makes the password values set to "unlimited" but be sure to read the description for each value to make sure you are adjusting the value to something that you actually want to have set.
- Multiple Password Policy set in different Policies
- The Default Domain Policy is just one of many policies that sometimes have password policies set.
- Check the Domain Controller Policy, this is the one that is read by the Domain Controllers and is the one that is enforced upon End User accounts that the Domain Controllers are "in charge" of.
- Check to see if there are any other Password policies set on the Domain Controllers OU or any OU/Root of the Domain higher up in the Hierarchy
A quick way to determine what the password expiration and status for an end user has actually been set to is to run this command (As Administrator):
net user username
Replace the "username" value with an actual username that is not a domain admin.
Once you have adjusted the password policy, make sure you are running the
gpupdate /force
With some password policy adjustments, we have seen that the password policy doesn't update immediately, so you might need to run the gpupdate /force a few times.
Once the password policy is being reflected on the End User account you were testing above, then go back to the Quickpass Portal, refresh the End User Screen and check the Password Settings link in the bottom left. It should match the actual password policy, and the End Users should show their password expiration date as you have designed in Active Directory. - Setting the Group Policy to "undefined"
- If this displayed password matches the Active Directory Policy on the Domain Controller password Policy, adjust the AD Policy settings to at least the values listed above.
Comments
0 comments
Please sign in to leave a comment.