Specops Authentication Client Support for Active Directory Fine Grained Password Policies
Beginning with version 7.15, the Specops Authentication client supports dynamic feedback during CTRL+ALT+DEL password changes. Users are presented with real time feedback on the password policy requirements for both Specops Password Policy policies and for native Active Directory password policies (default domain policy and fine-grained password policies).
Users affected by an Active Directory fine-grained password policy may encounter the following error when initiating a CTRL+ALT+DEL password change:
The account [sAMAccountName] is affected by a fine grained password policy, but the current context does not have permission to read it.
This error occurs because the AD computer account for the workstation where the password change is being performed does not have access to read the fine-grained password policy settings in Active Directory. In order to resolve this error, the computer account must have read access to the fine-grained password policy object(s) in Active Directory.
Granting Access to Fine-Grained Password Policies
Launch the Active Directory Admin Center (from RSAT Active Directory tools) as a domain administrator. Navigate to the System\Password Settings Container container, right click on the fine-grained password policy affecting the users, and select Properties.
Scroll down to the Extensions section, and add read permission for your computer accounts. You can use Authenticated Users, Domain Computers, or your own security group that contains the computers with the Specops Authentication client installed. In the screenshot below we’ve used Domain Computers.
Once the change is complete and replicated, your clients should show the correct password policy rules during password change.