User cannot change password more than once a day in SSPR.

  • 7012136
  • 11-Apr-2013
  • 11-Apr-2013

Environment

NetIQ Self Service Password Reset
SSPR 2.0 HF1a
Active Directory 
Enforce Microsoft AD password complexity set to true

Situation

User is not able to change the password more than once in a day in SSPR.

In the "change password" screen, accessed directly from the SSPR main menu, trying to change the password more than once a day loops the user back to the SSPR change password screen without changing the password.  LDAP error 19 (constraint violation) shows in the error log.

Resolution

While testing, set the "Minimum Password Age" to 0.  Change it back when testing is finished. 

Cause

By default, the Active Directory password policy sets "Minimum password age" to one day.  This means that a user must use a password for one day before changing it.

Additional Information

Setting the "Minimum Password Age" to 0 will allow changing the password multiple times in succession.  But be sure to change it to something other than 0 when testing is finished if you want to enable the password history restriction in the AD policy.  Microsoft discourages setting "Minimum Password Age" to 0, pointing out that doing so somewhat negates the value of the password history list.  See http://technet.microsoft.com/en-us/library/cc779758%28v=ws.10%29.aspx