We often get questions from customers about password resets and changes in Microsoft Active Directory when the customer wants to know why password reset operations ignore certain Active Directory password policy settings like minimum password age. Web Active Directory products like PeoplePassword and IISADMPWD Replacement Tool both support password changes while only PeoplePassword supports password resets. All notes below come directly from Microsoft’s core Active Directory design and are not extensions or features added by any Web Active Directory products.
In summary, password resets are a restricted administrative activity that does not require the current password and ignores minimum password age and password history settings in domain password policy settings. Password changes are open to all users and require knowledge of the current password as well as enforcing all password policy settings.
Password Resets in Active Directory
In a nutshell, a password reset (sometimes called an administrative password reset) exists to enable administrators to reset a forgotten or unknown Active Directory account password to a known value. This operation does not require knowledge of the user’s current password and, because of this, password resets in Active Directory require administrative permissions by default only given to Administrators and Account Operators members.
Often times, this reset accompanies setting the “User must change password at next logon” flag so the account owner can then reset the password to a secret value only they know. Because of the nature of resetting a password from a forgotten or unknown value to a known value, only certain password policy settings are enforced as shown below. Account lockout status is also ignored as user accounts often become locked out when a user tries to authenticate with an invalid password and exceeds the Active Directory threshold for failed logins.
Active Directory Password Policy Settings Enforced for Password Resets
- Minimum allowed length
- Maximum allowed age
- Password complexity
Note that password resets ignore the minimum allowed age and password history requirements. The password change operation, by contrast, does not ignore these password policy settings.
Password Changes in Active Directory
By nature, password changes are available to anyone as long as the user knows the current password. In this case, all Active Directory password policy settings are enforced by Active Directory.
Active Directory Password Policy Settings Enforced for Password Changes
- Minimum allowed length
- Maximum allowed age
- Minimum allowed age
- Password complexity
- Password history
More Information
- Distinguishing Between Reset Password and Change Password: http://www.windowsitpro.com/article/permissions/distinguishing-between-reset-password-and-change-password-23966
- What is the difference between the Change Password and Reset Password extended right? http://www.activedirsec.org/t43140076/what-is-the-difference-between-the-change-password-and-reset/