This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Could not create account in Active Directory complaining on password policy

Hi Experts 

I am getting a password policy violation error while adding ADSAccount to the target.

Please find the error below - 

ErrorMessages () [1777018] Error executing synchronization project (Active Directory Domain )'s workflow (Provisioning).
[1777124] Error executing projection step (user) of projection configuration (Provisioning (Provisioning)).
[1777219] Error executing synchronization step (user)!
[1777004] Method (Insert object (Insert)) could not be executed successfully.

Error executing user_password_Set on object  (Error: [System.Reflection.TargetInvocationException] Exception has been thrown by the target of an invocation.
[2226225] Password change for User test could not completed. The password does not meet policy requirements.
[System.Reflection.TargetInvocationException] Exception has been thrown by the target of an invocation.
[System.Runtime.InteropServices.COMException] The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements. (Exception from HRESULT: 0x800708C5)).
Password change for User test could not completed. The password does not meet policy requirements.
Exception has been thrown by the target of an invocation.

Error  writing object was tolerated because the object is a system object and cannot be changed.
The server is unwilling to process the request.

I am using the one identity manager password policy for the default. Password manager is also set up in the environment so password manager also have its own password policy.

The password I have set in the centralPassword of the person that comply with all the password policy. Still not sure what is missing. 

how can I debug the sync project on the password field to see exactly which password policy is violating? 

Thanks in advance

  • It is the AD password policy (the one from AD) that is complaining. So please check if you are able to insert a new AD user in AD directly with the same password. It should fail as well.

  • Thanks Markus for your quick reply. I thought the same way you are. The very first test I did was I created a test user in Active directory with a valid password then I use the same password in Identity Manager. Does not work for me :(. My problem is I could not see what password policy is violating. Any light?

  • You cannot see what policy is violating because the error coming from the AD API we are using does not provide that. You need to check your password policies in AD or the ones in Password Manager if you do have a Password Policy Manager (PPM) component in use.

  • Hi,

    How is your domain controller defined/configured in your sync project?

    I had this exact same problem ..... all AdHocProjection updates were working fine except for setting the password.

    The answer to 'my' problem is below ...... maybe it helps you:


    For all adhoc activities the sync project was working just fine ....... only failing when setting a password.

    The reason was that the CP_ADServer variable was set set to an IP address and not the domain value (

    Once it was set to the password setting worked just fine ...... this is not an issue with OI but more to do with how the AD processes work.


    Additionally I was advised:  Kerberos does not function with IP addresses.

    Hope it helps, Barry.

  • In addition, do not use the FastBind option. If you do so, you are unable to set the password as well (again by design of the underlying API).

  • Thanks Barry. I believe your problem and my problem is similar. It is only failing when I set the password otherwise AdHocProjection working fine. I have checked the variable and the value of CP_ADServer is set with FQDN ( The only thing I can remember that when I set up the AD sync project I put the ip address in connection veriable and the system automatic took the domain. Still do not know this is a problem or not.

  • It is probably silly to ask, however where I will check this option? Thanks in advance

  • In the Synchronization Editor.  It was selected when you set up the sync project.  You can change it by re running the connection wizard.

  • Ok. It is working now. For me the solution is, I have restablished the connection for the AD sync project. Did not put any ip any where and did not truned on the value secret for variable CP_BASEpassword. Thanky you all.