-
Título
Most common password migration or synchronization issues and what the errors in the log file mean -
Descrição
Both source and target domains have an identical password policy, but the DSA is reporting sometimes "The value provided for the new password does not meet the length, complexity, or history requirement of the domain".
How can this be expained and addressed?
-
Causa
QMM Release Notes explain:
Although several issues related to the "The value provided for the new password does not meet the length, complexity, or history requirement of the domain" error were resolved, you may still get this error message in the following situations:If the source password is empty, while the minimum password length on the target is set to more than 0 characters.
If the source password was previously migrated to the target and is stored in password history of the target account. -
Resolução
In most cases the error "The value provided for the new password does not meet the length, complexity, or history requirement of the domain error" is caused by the password history.
Temporarily removing the settings for the password history in target domain will confirm this and will most probably resolve the issue.
Example:
source domains password policy allows the history of 2 passwords.
target domains password policy allows the history of 4 passwords.
Now the source user is changing his password and if he keeps using the same 3 passwords again and again, then the following will happen:
Source users password is FirstPassword - DSA copies to target FirstPassword
Source users password is SecondPassword - DSA copies to target SecondPassword
Source users password is ThirdPassword - DSA copies to target ThirdPassword
Source user changes his password to be again FirstPassword, this is allowed and works fine in the source, because source has the history of 2 passwords and allows the user to use anything, but not the last 2 passwords.
DSA tries to copy to target the FirstPassword value.
Target AD refuses to apply this value! Target domains password history allows 4 passwords, and this value is already stored in the hash of the target user, target user cannot use FirstPassword again, not until he has used 4 other passwords.
In target users hash there are values present for FirstPassword, SecondPassword,
ThirdPassword, they cannot be used again. Not until target user has used 4 other different passwords, according to the policy.
This is a simple (or simplified) non-technical explanation of the issue.