bcotta
asked on
You do not have permission to change your password
We have just upgraded our domain controllers to Server 2003 Enterprise from Windows 2000 server Advanced. There is no Group Policy as of yet, only the default domain policy is at the root of our domain. Our users are all in one OU in the domain.
When we check 'User must change password at next login' for a user account, as soon as the user tries to logon and change their password they receive a 'You do not have permission to change your password' error.
As per the Microsoft Knowledgebase, we have assigned 'Change password' permission to the everyone group for the Users container and all our OU's in the Active Directory and still we are having this issue.
We have checked the Domain Security policy, Domain controller security policy and even the Group policy for the OU and domain. .
After each change, I issued a gpupdate /force to make the change. No luck.
The problem only affects workstations running Windows XP professional. A majority of our users use Windows 2000 pro, they dont have any problems.
Whether the password expires on its own or we force a change, the user still gets the prompt "You do not have permission to change your password".
If we log them in and issue a CTRL-ALT-DEL and issue change password through the click box, they can then change it then but not from the initial logon screen when prompted.
Please help. Thanks
When we check 'User must change password at next login' for a user account, as soon as the user tries to logon and change their password they receive a 'You do not have permission to change your password' error.
As per the Microsoft Knowledgebase, we have assigned 'Change password' permission to the everyone group for the Users container and all our OU's in the Active Directory and still we are having this issue.
We have checked the Domain Security policy, Domain controller security policy and even the Group policy for the OU and domain. .
After each change, I issued a gpupdate /force to make the change. No luck.
The problem only affects workstations running Windows XP professional. A majority of our users use Windows 2000 pro, they dont have any problems.
Whether the password expires on its own or we force a change, the user still gets the prompt "You do not have permission to change your password".
If we log them in and issue a CTRL-ALT-DEL and issue change password through the click box, they can then change it then but not from the initial logon screen when prompted.
Please help. Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Might be a Domain policy that is resulting in the error.
Check your settings in your Default Domain Controllers Policy in:
Computer Configuration / Windows Settings / Security Settings / Local Policies / User Rights Assignment
In the "Access this computer from the network" settings there should be either the Authenticated Users or Everyone group.
If they are not there, add the Authenticated Users group and run:
SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE
on your server.
Check your settings in your Default Domain Controllers Policy in:
Computer Configuration / Windows Settings / Security Settings / Local Policies / User Rights Assignment
In the "Access this computer from the network" settings there should be either the Authenticated Users or Everyone group.
If they are not there, add the Authenticated Users group and run:
SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE
on your server.
There is a setting somewhere that users must successfully authenticate before changing their password. Can't remember where it is exactly. You need to change that setting.
If you change the setting to stop them from being forced to change their password at first login, login as the user you should be able to change the password from the CTRL-ALT-DEL prompt.
Simon.
If you change the setting to stop them from being forced to change their password at first login, login as the user you should be able to change the password from the CTRL-ALT-DEL prompt.
Simon.
ASKER
I appreciate everyone's help.
I tried the User Right Assigment suggestion. Same results.
What I did find from the first reccomendation from "dimante" is that users using Windows XP SP1 are the only ones affected.
Users on a machine using Windows XP Pro SP2 don't have this problem.
Microsoft says there is a hotfix but they dont give the hotfix number or direct me where to download it
Any suggestions?
If its just a hotfix on the client, I'd rather do that, than to make a bunch of changes on my DC's
I tried the User Right Assigment suggestion. Same results.
What I did find from the first reccomendation from "dimante" is that users using Windows XP SP1 are the only ones affected.
Users on a machine using Windows XP Pro SP2 don't have this problem.
Microsoft says there is a hotfix but they dont give the hotfix number or direct me where to download it
Any suggestions?
If its just a hotfix on the client, I'd rather do that, than to make a bunch of changes on my DC's
You contact microsoft support reference the article numberI gave you above and they will give you the hotfix no charge.
It will fix the problem you mentioned.
-D-
It will fix the problem you mentioned.
-D-
ASKER
I tried to contact our harware vendor.
No luck, they won't support SP1.
I can't find the hotfix. We are trying to avoid an upgrade to SP2.
If anyone has an other suggestions, please advise.
If not, I will award points accordingly.
Thanks for your help
No luck, they won't support SP1.
I can't find the hotfix. We are trying to avoid an upgrade to SP2.
If anyone has an other suggestions, please advise.
If not, I will award points accordingly.
Thanks for your help
Any reason you are trying to avoid the upgrade to SP2?
Simon.
Simon.
You have to call microsoft directly:
support.microsoft.com
-D-
support.microsoft.com
-D-
ASKER
We have a couple of sofware vendors that don't support SP2. They're in progress to fix their apps to work with SP2 but it is taking some time.
We also have some old unsupported software that may not work with SP2.
But I guess we have no choice. I will have to continue researching this hotfix. Thanks all.
We also have some old unsupported software that may not work with SP2.
But I guess we have no choice. I will have to continue researching this hotfix. Thanks all.
Please come back and let us know if the hotfix solves your issue!
-D-
-D-
ASKER
I checked that registry key.
It was already set to 1
I set it to 0
Same results
Ideas??