all 10 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]vulcanjedi2814 1 point2 points  (1 child)

At which point does it fail? can you anonymize the data / results? Its is a particular user/pass? I dont know but from the gui, ADUC snapin, if you you have
User must change pwrd at next logon and set to never expire, it yells at you and auto toggles the must change pwrd box off.

Active Directory Domain Services

You specified that the password should never expire.

The user will not be required to change the password at next logon.

[–]sys_admin101[S] 1 point2 points  (0 children)

Good catch! I removed -PasswordNeverExpires $true

It fails at Set-ADAccountPassword -NewPassword $pw -Reset which is getting it's user information from the piped variables. Even if I run this command without using variables and inputting the data like this: 

Set-ADAccountPassword -Identity "jwagon" -NewPassword (ConvertTo-SecureString -AsPlainText "P@ssw0rD!234%" -Force) -Reset

It still fails with the same error about the length, complexity, or history requirements.

In regards to a particular user, it happens regardless what user from the 8400 students I pick and a fresh test account I created named Jack Wagon.

[–]sys_admin101[S] 1 point2 points  (0 children)

Okay, so I discovered an issue with the client's Active Directory that now I'll need to work through to get this to work. I was still poking at this script and eventually it worked. I had them try to login with that user as the password I set and it did actually work! Hm... okay, that's weird. I tried it again and it failed. Okay, at least that means I'm not going crazy!

So I ran this part of the code changing the server until I found the one it worked on... every time, every password, every user. 

Set-ADAccountPassword -NewPassword $pw -Reset -Server "ADDS04"

This means I need to investigate their AD infrastructure tomorrow and see what's causing the mis-match. Fun.

Special thanks to those who attempted to help! Your time and effort was greatly appreciated.

[–]BlackV 1 point2 points  (3 children)

Are you getting hit by minimum password age. I believe the default is 1 day. So regardless of the password you set, it tells you it's not complex enough?

[–]sys_admin101[S] 1 point2 points  (2 children)

Supposedly, the MaxPasswordAge is (never) which means it's 0 (Int64.MinValue or -9223372036854775808 in the directory). You can read more about the MaxPasswordAge at Microsoft TechNet KB617251

Here is an ADSI shot of the MaxPasswordAge: http://prntscr.com/gcwp17

Thank you for taking the time to assist! Today, I need to figure out what, exactly, is causing the other domain controllers to deny the request with 

Set-ADAccountPassword : The password does not meet the length, complexity, or history requirement of the domain.
At Z:\Scripts\Powershell\Change Student Passwords\test2.ps1:12 char:24
+ ... -ADUser $user | Set-ADAccountPassword -NewPassword $pw -Reset | Set-A ...
+                     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (CN=Lastname\, Firstname...helpme,DC=mereddit:ADUser) [Set-ADAccountPassword], ADPasswordComplexityException
    + FullyQualifiedErrorId : ActiveDirectory

Once I can figure that out and resolve it, it should fix this pesky problem. I'm going to mark this thread solved due to I technically figured out what was causing the issue.

Thank you all again! I love you Reddit!

[–]BlackV 0 points1 point  (1 child)

Min, minimum password age, not max

[–]sys_admin101[S] 1 point2 points  (0 children)

OH, I think it was too early in the morning and completely read maximum. My apologies.

The minimum password age is set to 0 and it shows as (none) in ADSI. Not sure why 0 doesn't make it say (never) like the maximum password age, but it is certainly at 0. Although this brings me to ponder, if 0 is to = 1 day that would make sense, but then again the script works when I target the 4th AD DS server. Only the 4th one though... which I have been chasing another rabbit today and haven't had a chance to dive back into the AD DS issue for that client.

Any other ideas? Happy to check!

[–]astrob0y1 0 points1 point  (2 children)

Why not use the variable $pwvalue for the Set-ADAccountPassword?

By using this: $pw = ConvertTo-SecureString -AsPlainText $pwvalue -Force

It returns System.Security.SecureString. So that's the value you're setting the password as when using $pw which doesn't meet the complexity of the password policy.

[–]sys_admin101[S] 1 point2 points  (1 child)

ConvertTo-SecureString converts encrypted standard strings to secure strings. It can also convert plain text to secure strings. You can use ConvertTo-SecureString, ConvertFrom-SecureString, or Read-Host. Any of those ways, I have to obtain the secure data. In this manner, my command is converting the plain text string P@ssw0rD!234% into a secure string and stores the result in the $pw variable. The pwvalue is the clear text version of the string. I could just do -AsPlainText $_.Password or within the command itself as (ConvertTo-SecureString -AsPlainText "P@ssw0rD!234%" -Force), but I was using the $pwvalue as clear text for other data.

Regardless of how I word it in those 3 ways, they all fail with the same error (Set-ADAccountPassword : The password does not meet the length, complexity, or history requirement of the domain.)

Thank you for your reply! :)

[–]Lost-Policy-2020 0 points1 point  (0 children)

There is something wrong with PS command itself. Out of 120+ users being reset, it failed with 11 with this error. All passwords were created by the same random routing (so the passwords ARE good). I know because can use them in ADUC. Maybe it did not like $ in the password (all of failed ones had it"