Can’t change password – The password does not meet the password policy requirements.

Ever have a user call and complain that they can’t change their password?

They get an error message “The password does not meet the password policy requirements.” but they promise that the new password is complex?

Any you try and get the same thing?

Could be a minimum password age policy issue…

 

 

This powershell will lookup your domain password policy and match it against a user and the last password change.

 

I am posting this mostly because I had a hard time retrieving the  domain policy parts.

$Domain.maxPwdAge.Value kept returning an object of System.__ComObject

It took a lot of searching to eventually find a way to get the actual value out.

I am sorry I didn’t save the links to give credit… At the same time anyone who can explain this to all of us I would sure like to understand why $lngMaxPwdAge = $Domain.ConvertLargeIntegerToInt64($MPA) works and $mpa.value does not…


$MPA = $Domain.maxPwdAge.Value

<em id="__mceDel">$lngMaxPwdAge = $Domain.ConvertLargeIntegerToInt64($MPA)</em>

 

 

Either way here is the script that will tell you the policy and when a password was last changed.

It will show an alert if the password is under the min or over the max password age.


cls

$searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]'')

While (!$result)
{
$UserName = Read-Host 'Username to check : '
if (!$UserName)
{
Write-Host "No Username Entered"
exit
}
$searcher.Filter = "(&(objectClass=User)(samAccountName=" + $username + "))"
$result = $searcher.Findone()
}
# get domain password policy (max pw age)
$D = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$Domain = [ADSI]"LDAP://$D"
$MPA = $Domain.maxPwdAge.Value
$MinPA = $Domain.minPwdAge.Value
# Convert to Int64 ticks (100-nanosecond intervals).
$lngMaxPwdAge = $Domain.ConvertLargeIntegerToInt64($MPA)
$lngMinPwdAge = $Domain.ConvertLargeIntegerToInt64($MinPA)
$MinPwdLength = $Domain.minPwdLength
$PwdHistory = $Domain.pwdHistoryLength

# Convert to days.
$MaxPwdAge = -$lngMaxPwdAge/(600000000 * 1440)
$MinPwdAge = -$lngMinPwdAge/(600000000 * 1440)

$lngPwdLastSet =$result.Properties.pwdlastset
$pwdLastSet = [datetime]::FromFileTime($lngPwdLastSet[0])

Write-Host $result.Path
Write-Host $result.Properties.cn " " $result.Properties.userprincipalname
Write-Host "Password Last Set : " $pwdLastSet
Write-Host "Max Password Age : " $MaxPwdAge
Write-Host "Min Password Age : " $MinPwdAge
Write-Host "Password History : " $PwdHistory
Write-Host "Min Password Length : " $MinPwdLength
if ($pwdLastSet -ge (Get-Date).AddDays(-$MinPwdAge)){Write-Host -ForegroundColor Red "Password can not be changed - Min Age"}
if ($pwdLastSet -ge (Get-Date).AddDays($MaxPwdAge)){Write-Host -ForegroundColor Red "Password Expired"}

Enjoy.

 

Leave a Reply

Your email address will not be published. Required fields are marked *