As explained in FIM 2010 SSPR Enforces Password History FIM 2010 can now be configured to enforce the password policies configured in the domain. After implementing this, the first thing you want to do is grab a test account and start testing. You’ll be happy to see the following message after trying to perform a reset with a password which was used before:
It says: “The password you entered does not comply with the security policy. Please choose a new password or check with your system administrator for details on the password policy requirements”. So you go on and try a different password. One which hasn’t been used in the past of course. Still the above message appears. Now I’ll be damned, my SSPR is broken! But is it?
There seems to be a simple explanation: as stated in KB2386717 (The "Enforce password history" and "Minimum password age" Group Policy settings do not work when you reset the password for a Windows Server 2008 R2-based computer) not only the Password History is enforced, also the Minimum Password Age is enforced. Meaning you can only reset a password once a day for example. In the screenshot I altered this (temporarily) to 0 days so I could reset a password multiple times. But in our actually policy the Minimum Password Age is 1 day, in the screenshot below I temporarily disabled it by setting it to 0.
This is actually a pretty nasty setting when testing SSPR. Well if the error would say “you can only reset your password once a day, please contact an administrator” that would be a lot better. Of course FIM is not to blame here, this is Active Directory. Whenever you try to change your password at the ctrl-alt-del screen, you’ll get the same message popping up. I can imagine you don’t want to give to much information in your errors as to avoid malicious people being pointed in the good directions…