Why are Active Directory password resets ignoring the Password History Count rule?
I have a situation whereby an AD domain I am working with has a sensible enough password policy in place (e.g., sufficiently high PasswordHistoryCount
, MinPasswordLength
settings etc.). I can change a given user's password via PowerShell easily enough using the Set-ADAccountPassword
cmdlet, like so:
Set-ADAccountPassword
-Identity "Forename.Surname"
-NewPassword (ConvertTo-SecureString -AsPlainText "incorrectp0nypetrolnail" -Force)
-OldPassword (ConvertTo-SecureString -AsPlainText "correcth0rsebatterystaple" -Force)
The above also raises an ADPasswordComplexityException
expection when the password policy is violated when attempting to re-use a password, i.e., with the message:
"The password does not meet the length, complexity, or history requirement of the domain."
However, the password history policy is not being enforced when passwords are reset. This occurs either when using the "Active Directory Users and Computers" UI, or when using the Set-ADAccountPassword
cmdlet like so (assume the password below has been previously used by the user):
Set-ADAccountPassword
-Identity "Forename.Surname"
-Reset
-NewPassword (ConvertTo-SecureString -AsPlainText "correcth0rsebatterystaple" -Force)
I would have expected the same ADPasswordComplexityException
exception to have been raised in this situation.
So - is there any way to prevent a user from reusing passwords when a password reset is made? If not, what are sensible reasons for allowing this?
That is the expected behavior and is by design. Administrative resets are not subject to age or history requirements.