I have one user in my AD domain who seems to not be able to self-select a password. I may have another one, but they're on a different enough password-expiration schedule that I can't remember who it is right now.

I can set a password via ADU&C just fine, but when he tries it via C-A-D he gets the "doesn't meet complexity" message. Figuring he was just doing something like 'pAssword32', I did some troubleshooting of my own and sure enough it doesn't want to take a password that way.

He's one of our users that habitually uses a local account and then maps drives using his AD credentials so he doesn't get the your password will expire in 4 days, maybe you should change it prompts, so he's a frequent "my password expired, can you fix it" flyer.

I don't want to keep having him set it via ADU&C over my shoulder every N days. I'm just fine setting temp passwords of 48 characters of keyboard-slamming and letting him change it something memorable.

My environment is at the Windows 2008 R2 functional level, and I am using fine-grained password policies. In fact, I have two such policies:

1. For normal users (minimum length, remembered passwords)
2. For special utility accounts

The password complexities I've tried match both policies for length and char-set selection.

The permissions on the User object themselves look normal, SELF does indeed have the "Change Password" right.

Is there some other place I should be looking for things that can affect this?