So we sync AD users from cross-domain (not a single forest). So say from “DC=contoso,DC=com” to “DC=fabrikam,DC=com”. Not getting too much into it, we do some matching and rules extension to convert a few value to match the destination domain.
Have recently been seeing the following error when sync engine is trying to enable a disabled user in fabrikam domain.
Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain.
Although the password policy is the same between the two domains.
After a tip, for some reason after the user was synced but for some reason the password was not set. And when it was trying to enable the users, it didn’t have a password and failing the domain policy.
Fix: I got the list of users failing from MIM and set their password manually in the destination by using the following script
$users = ("LISTUSERSHERE")
foreach ($user in $users)
get-aduser $user | Set-ADAccountPassword -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "<COMPLEXTEMPPASSWORD>" -Force)
After this, the sync engine fixed the user up automatically.