unable to change user password at logon
Results 1 to 7 of 7

Thread: unable to change user password at logon

  1. #1
    Registered User techie211's Avatar
    Join Date
    Aug 2001
    Posts
    49

    Unhappy unable to change user password at logon

    hey ppl! I need for the users to change their passwords once a month but they're getting the 'You do not have permission to change your password' error message
    In their accounts properties, I have User must change password at next logon cheched on and everything else checked off. They do get notified the next time they try to logon to change their password, and they type their new password but then they get the error message There has to be some kind of policy restriction either at the Domain or OU level. I'm not sure. Hopefully someone out there has an answer for me
    Thank in advance!

    -l8r
    "knowledge is power"

  2. #2
    Registered User
    Join Date
    Jan 2002
    Location
    South Jersey
    Posts
    253

    Post

    Are you setting the "must change password at next logon" and unchecking "user cannot change password" in User Manager for Domains on the server or via Computer management?
    "Good music makes you want to dance and kiss your girlfriend. Great music makes you want to riot and kill...."- Tom Morello, Rage Against the Machine

  3. #3
    Registered User techie211's Avatar
    Join Date
    Aug 2001
    Posts
    49

    Post

    hey thanks for the reply I'm going thru Active directory Users & Computers on a win2k Server.
    "knowledge is power"

  4. #4
    Banned Ya_know's Avatar
    Join Date
    Jun 2001
    Posts
    10,692

    Post

    I found this article. However it doesn't tell you how to make this happen to all users. If you are mising this permission for Everyone, and you figure out how to add it for all users, let me know...

    <a href="http://support.microsoft.com/default.aspx?scid=%2fsearch%2fviewDoc.aspx%3fdocID %3dKC.Q242795%26dialogID%3d6922351%26iterationID%3 d1%26sessionID%3danonymous%7c6122231" target="_blank">Granting Change Password Permissions to the Everyone Group (Q242795)</a>

  5. #5
    Banned Ya_know's Avatar
    Join Date
    Jun 2001
    Posts
    10,692

    Post

    Come to think of it, it probably has little or nothing to do with the article I found. Have you looked into the group policy for the container, domain, and/or site? Perhaps there is an issue at one level that is causing this problem...

  6. #6
    Registered User techie211's Avatar
    Join Date
    Aug 2001
    Posts
    49

    Post

    that's what i'm thinking. I've checked the policies at the domain level and the container level but cannot see anything wrong. Where or what do i need to look for?

    -l8r
    "knowledge is power"

  7. #7
    Banned Ya_know's Avatar
    Join Date
    Jun 2001
    Posts
    10,692

    Post

    Ok, I am going to shoot from the hip, so I need for you to fill in any blanks if I should miss assume something...

    I presume you have one policy with the maximum password age set to one month. You may have also changed a few other things, perhaps complexity requirements, minimum password length, and enforcing password history. What then are you using for a minimum password age? I recall issues in NT4 where a minimum password age would cause problems like this. The worst was when you reset a recently changed password, then forced the user to change the password at next login. History shows that the password had been changed within the minimum age, and wouldn't permit a second. I would have to look at that as your issue, and perhaps set it back to not defined, if you have a restriction applied.

    I am sure you know where, but to save time in case you don't, edit all group policies that may have a play on this container (remember, they go in order, site-domain-container). {To check the site group policy, you need to go to AD Sites and Services, if it is only one site it should show up as "Default-first-site-name". If no group policy is found then don't create one. I just want you to be sure it isn't there that you are getting the policy from.} Then under Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy, you will see six items that can be adjusted…if minimum password age is applied, remove it for troubleshooting. Then have someone reboot a 2k box and try to login, and change his password. (remember to edit all group policies that may come into effect)

    One last thing...

    In the event that doesn’t help, in reference to that MS article, I have to steer you to another item in the group policy that could be changing things for users logged in with an old password, attempting to change the password...under Computer Configuration\Windows Settings\Security Settings\local policies\Security Options, there is an item for Additional restrictions for anonymous connections. If it is not defined in any of your policies, cool, if it is, changed it back to not defined for troubleshooting. I don't know if that will do it but it is sure worth a shot...

    Take everything one step at a time, and document. Group policy can get really tangled up. Additional note, you should apply the password restriction at the domain level, unless you have a better reason to apply it elsewhere.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •