Windows error code 0x800708c5 when resetting a password using ADUC

We recently had a case where a customer saw the following unfriendly message during an administrator password reset against a user.

The administrator performed the same reset from another DC in his environment (the same password against the same user), but got a different message.

As he was trialling our Specops Password Policy solution at the time, he wondered if this had something to do with us.

We did a little digging and found following:

  • The first unfriendly message was produced on a DC running Server 2012 (effectively Windows 8)
  • The second more friendly message was produced on Server 2012 R2 (effectively Windows 8.1).

We tested this in our environment, on exactly the same OS’s, without any Specops software installed and got exactly the same message. We can confirm this is a Microsoft bug in Windows 2012 ADUC, not being able to translate the error code from LSASS i.e. 0x800708c5, and nothing to do with us.

The customer also pointed out that the Sentinel was reporting two failures in the application eventlog on the DC’s during an attempt to reset a user’s password with something that did not match the Specops Password Policy.

We tested a reset using the AD PowerShell commandlets (set-ADAccountPassword) and got the expected one entry in the log.

Again, this looked like an issue with ADUC to us. To dig further into this we looked at the security logs on the DCs and found the following (with no Specops software installed at all).

ADUC, for some reason only known to Microsoft Developers, calls the reset password API TWICE, not once, as it should (as proven with the PowerShell commands).

As a bonus for anyone reading all the way to this part, if you ever see a hex code (this is a so-called HRESULT) that starts with 0x8007, like 0x800708c5, it means that it is a Win32 error (what most people see as an error code).

If you take the last four characters and convert from hex to decimal, e.g. 08C5 hex equals 2245 decimal if you check your calculator, and now in a command prompt, you can type a simple “net helpmsg 2245” and get the actual message. In this case, “The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements.” Armed with this knowledge, you can now figure out what message that error represents.

 

 

(Last updated on August 9, 2023)

Tags: , ,

darren james

Written by

Darren James

Darren James is a Senior Product Manager at Specops Software, an Outpost24 company. Darren is a seasoned cybersecurity professional with more than 20 years of experience in the IT industry. He has worked as a consultant across various organizations and sectors, including central and local governments, retail and energy. His areas of specialization include identity and access management, Active Directory, and Azure AD. Darren has been with Specops Software for more than 12 years and brings his expertise to the support and development of world-class password security and authentication solutions. 

Back to Blog

Related Articles

  • Customize the Windows 10 start menu

    If you are ready to install Windows 10, stop for a minute to find out how you customize the Windows 10 start menu. You will save yourself time and avoid a major hassle for your end users. We love Windows 10, but not the start menu, which still contains many icons that most users do…

    Read More