Jamf Nation Community

jake_snyder · ‎07-21-2015

I have a 10.10.4 mac bound to 2012R2 AD.

I've been trying to configure ADPassMon 2 (because I hear it will solve my keychain problems) for half the day cannot get it to reset a password. It pulls in the password age just fine. It can refresh kerberos tickets just fine.

I decided to take a step back and tried to change an AD account password via Users & Groups, but no luck there either. I got the message:

The password for the account "<account name>" was not change. Your password did not meet the requirements specified by your server administrator. You may need to use different characters, numbers, or symbols in your password. If you're not sure how you should change your password, contact your system administrator before trying again.

I've tried various passwords with various degrees of complexity, but no matter what I always get this message. Can someone point me in the right direction?

scottb · ‎07-21-2015

Well, I've setup and tested this and it works fine. But I think you need to get the actual password criteria from your AD team else you keep banging your head. What about the nominal character count? Upper/lower case, etc. There's a lot of room for error there...

Only caveat is that I have not tested this in 10.10.4...

Aaron · ‎07-21-2015

Be aware that it will give the "doesn't meet minimum complexity" error if there is also a policy that states that the password cannot be changed within X days of the last change. For example, at my company, we we have it set to 5 days.

This one tripped me up for a while as well.

hughlon_francis · ‎01-10-2018

I had this set for years and then a Security Director wanted it change to minimum of 1 day. End result is users cannot change passwords until 24 hours after it was last change. Set your Active Directory password policy to 0. This should be done using GPO.

Jamf Nation Community

AD and password issues