Windows error code 0x800708c5 when resetting a password using ADUC
(Last updated on August 2, 2018)
We recently had a case where a customer saw the following unfriendly message during an administrator password reset against a user.
The administrator performed the same reset from another DC in his environment (the same password against the same user), but got a different message.
As he was trialling our Specops Password Policy solution at the time, he wondered if this had something to do with us.
We did a little digging and found following:
- The first unfriendly message was produced on a DC running Server 2012 (effectively Windows 8)
- The second more friendly message was produced on Server 2012 R2 (effectively Windows 8.1).
We tested this in our environment, on exactly the same OS’s, without any Specops software installed and got exactly the same message. We can confirm this is a Microsoft bug in Windows 2012 ADUC, not being able to translate the error code from LSASS i.e. 0x800708c5, and nothing to do with us.
The customer also pointed out that the Sentinel was reporting two failures in the application eventlog on the DC’s during an attempt to reset a user’s password with something that did not match the Specops Password Policy.
We tested a reset using the AD PowerShell commandlets (set-ADAccountPassword) and got the expected one entry in the log.
Again, this looked like an issue with ADUC to us. To dig further into this we looked at the security logs on the DCs and found the following (with no Specops software installed at all).
ADUC, for some reason only known to Microsoft Developers, calls the reset password API TWICE, not once, as it should (as proven with the PowerShell commands).
As a bonus for anyone reading all the way to this part, if you ever see a hex code (this is a so-called HRESULT) that starts with 0x8007, like 0x800708c5, it means that it is a Win32 error (what most people see as an error code).
If you take the last four characters and convert from hex to decimal, e.g. 08C5 hex equals 2245 decimal if you check your calculator, and now in a command prompt, you can type a simple “net helpmsg 2245” and get the actual message. In this case, “The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements.” Armed with this knowledge, you can now figure out what message that error represents.
This article dives deep into the math that is hidden behind the Relative Password Policy Strength in Specops Password Auditor. Bring your combinatorics book and strap in for a math lesson. Relative Password Policy Strength The password policy strength is in essence a measurement of: How many possible combinations are there of a password using…Read More
If you are ready to install Windows 10, stop for a minute to find out how you customize the Windows 10 start menu. You will save yourself time and avoid a major hassle for your end users. We love Windows 10, but not the start menu, which still contains many icons that most users do…Read More
Many organizations are making the move to cloud, specifically Office 365 (O365). Recognized as the most common business productivity software, O365 offers many benefits to today’s mobile workforce. There’s also some perks for the IT staff. Freed up internal resources, from servers to personnel, easy access to the latest and greatest, and best of all,…Read More