My brother has an interesting(?) problem:

He set up his home PC with XP (Pro, now with SP3) a few years ago, ensuring
he password protected his account and did not give my nephew admin rights.
However, he failed to set a password for the administrator account as he
hadn't realised that the Administrator account was still active and could be
logged in to using a double Ctrl-Alt-Del. Now he is unable to assign a
password to that account, or change passwords for existing accounts, or
create a new user account as all attempts lead to an error message stating
that the password does not meet the password complexity requirements.
However the password policy is disabled (see below) and he has tried using
complex passwords.

Checking Local Security Policy, settings are:
Enforce password history: 0 passwords remembered
Maximum password age: 0 days
Minimum password age: 0 days
Minimum password length: 0 characters
Password must meet complexity requirements: Disabled
Store password using reversible encryption: Disabled
In "Resultant set of policy" MMC snap-in they all come up as "Not defined".

Sometimes he finds that my nephew is a member of the administrators group.
My nephew denies any knowledge of what is happening.

I happened to visit recently and took a brief look at the PC but couldn't
see anything untoward.

The obvious solution is FDisk, but other priorities mean that can't be done
for a while.

Does anyone have any ideas as to what might have happened here?