Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-8828: Mac password change error: password does not meet the complexity requirements

Centrify Identity Service, Mac Edition ,  

16 June,17 at 04:29 PM

Question:

When a Mac user tries to change his password, he may run into an issue where it fails even though it does meet the complexity requirements. What troubleshooting steps can an administrator take?



Answer:

1. To take the complexity requirements out of the equation, administrator can start troubleshooting the issue by generating a new password and have the end user try it. As a reminder if the policy "
Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy > Password must meet complexity requirements" is enabled, passwords must meet the following minimum requirements:

 
- Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
- Be at least six characters in length
- Contain characters from three of the following four categories:
- English uppercase characters (A through Z)
- English lowercase characters (a through z)
- Base 10 digits (0 through 9)
- Non-alphabetic characters (for example, !, $, #, %)
- Complexity requirements are enforced when passwords are changed or created.


2. One of the policies to look for that can prevent users from changing their password is the following one: "Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy > Minimum password age". If it is enabled and for example set to 1, the user will have to wait 24 hours after a password change before he can change it again. This requirement is easy to miss and would be most likely the issue if the password generated step #1 was not accepted. To verify when it was changed the last time, there are 3 ways:

        a. On the Mac:
Administrator can have the end user run: $ adquery user -A username
And look for: "nextPasswordChange" & "lastPasswordChange:"

 
unixname:username
uid:1463207863
gid:898144272
gecos:username
home:/Users/username
shell:/bin/bash
auditLevel:AuditIfPossible
isAlwaysPermitLogin:false
dn:CN=username,CN=Users,DC=domain,DC=com
samAccountName:username
displayName:username
sid:S-1-5-21-589049004-2262218657-1777991859-1106
userPrincipalName:username@domain.com
canonicalName:domain.com/Users/username
passwordHash:x
guid:d736c7b7-c58c-4b63-a682-3db8e71b1437
accountExpires:Never
passwordExpires:Never
passwordWillExpire:-2
nextPasswordChange:Wed May 25 08:47:02 2016
lastPasswordChange:Tue May 24 08:47:02 2016
accountLocked:false
accountDisabled:false
zoneEnabled:true
unixGroups:denied rodc password replication group,domain admins,domain users,enterprise admins,mac admins,domain,schema admins
memberOf:domain.com/Users/Denied RODC Password Replication Group,domain.com/Users/Domain Admins,domain.com/Users/Domain Users,domain.com/Users/Enterprise Admins,domain.com/Users/Mac admins,domain.com/Users/domain,domain.com/Users/Schema Admins


        b. On a Domain Control:
The administrator can run the following command: >net user username
Then look for: "Password last set" & "Password changeable"


User name                    username
Full Name                    username
Comment
User's comment
Country code                 000 (System Default)
Account active               Yes
Account expires              Never

Password last set            5/24/2016 8:47:02 AM
Password expires             Never
Password changeable          5/25/2016 8:47:02 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   5/24/2016 8:47:02 AM

Logon hours allowed          All

Local Group Memberships      *Administrators
Global Group memberships           *Domain Users         *Domain Admins
                             *Domain               *Mac admins
                             *Enterprise Admins    *Schema Admins
The command completed successfully.


        c. In the Debug logs collected by Centrify Support, via the MacDiagnosticTool, in the "ALL_USER_Info.txt" file, look for the username:

username:nextPasswordChange:Wed May 25 8:47:02 2016
username:lastPasswordChange:Tue May 24 8:47:02 2016


3. If there is no "Minimum password age" policy set up, the next step will be to have the user try to change his password on a Windows machine. If it fails there, this is most likely something related to that AD user (account being locked out, account or password being expired, ...)


4. If the user is still having issues when attempting to change the password the next day (or after the admin set the "
Minimum password age" policy to 0), please contact Support. A network trace (tcpdump) and debug logs will most likely be needed.





For additional information not covered in this guide or troubleshooting assistance, please review Centrify Online Help or visit the Centrify Customer Portal at support.centrify.com.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.