Windows error code 0x800708c5 when resetting a password using ADUC
(Last updated on August 2, 2018)
We recently had a case where a customer saw the following unfriendly message during an administrator password reset against a user.
The administrator performed the same reset from another DC in his environment (the same password against the same user), but got a different message.
As he was trialling our Specops Password Policy solution at the time, he wondered if this had something to do with us.
We did a little digging and found following:
- The first unfriendly message was produced on a DC running Server 2012 (effectively Windows 8)
- The second more friendly message was produced on Server 2012 R2 (effectively Windows 8.1).
We tested this in our environment, on exactly the same OS’s, without any Specops software installed and got exactly the same message. We can confirm this is a Microsoft bug in Windows 2012 ADUC, not being able to translate the error code from LSASS i.e. 0x800708c5, and nothing to do with us.
The customer also pointed out that the Sentinel was reporting two failures in the application eventlog on the DC’s during an attempt to reset a user’s password with something that did not match the Specops Password Policy.
We tested a reset using the AD PowerShell commandlets (set-ADAccountPassword) and got the expected one entry in the log.
Again, this looked like an issue with ADUC to us. To dig further into this we looked at the security logs on the DCs and found the following (with no Specops software installed at all).
ADUC, for some reason only known to Microsoft Developers, calls the reset password API TWICE, not once, as it should (as proven with the PowerShell commands).
As a bonus for anyone reading all the way to this part, if you ever see a hex code (this is a so-called HRESULT) that starts with 0x8007, like 0x800708c5, it means that it is a Win32 error (what most people see as an error code).
If you take the last four characters and convert from hex to decimal, e.g. 08C5 hex equals 2245 decimal if you check your calculator, and now in a command prompt, you can type a simple “net helpmsg 2245” and get the actual message. In this case, “The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements.” Armed with this knowledge, you can now figure out what message that error represents.