User is asked to change password on first logon and does not have the right

Have asked that users change their password on first logon on a windows 2000 server. When they change it they are told they do not have permission to change their password. As far as I can tell, they should be able to. I am kind of in a catch 22 here, does anyone have any idea what I might have done?
nt2kmanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MihailoCommented:
http://www.jsiinc.com/SUBO/tip7300/rh7344.htm

7344 » When a domain user attempts to change their password during logon, they receive 'You do not have permission to change your password'?


The subject behavior will occur if both the following are true:

- You enabled the User must change password at next logon option.

- The Everyone group and/or the Authenticated Users group does NOT have the Access this computer from the network rights on an authenticating domain controller.

To resolve this problem:

1. Open the Active Directory Users and Computers snap-in.

2. Right-click the Domain Controllers container and press Properties.

3. Select the Group Policy tab.

4. Select the Default Domain Controllers Policy and press the Edit button.

5. Navigate through Computer Configuration / Windows Settings / Security Settings / Local Policies / User Rights Assignment.

6. Double-click Access this computer from the network.

7. If either the Everyone or Authenticated Users group is missing, add them and press OK. 8. Close the Properties dialog and exit the snap-in.

9. On a domain controller, run SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE.

NOTE: For Windows Server 2003, run gpudate /Target:Computer.

NOTE: See Some users can't change their password without logging onto the Windows 2000 domain?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mburdickCommented:
In the same area mentioned above, you may need to adjust "Additional Restrictions for Anonymous Connections". If this is set to "No access without explicit anonymous access permissions", you will need to back that off to "Do not allow enumeration of SAM accounts and shares".

This is a documented issue at Microsoft.
0
ralonsoCommented:
In AD, you may also need to find the user account in AD.
Check properties->permissions->advanced
There should be an entry saying that user "SELF" has the right to change password for the account

The group "Everyone" Should also have permission to change password for the user account (I'm not inventing, is documented by microsoft)

http://support.microsoft.com/?kbid=242795
0
darth_wannabeCommented:
I assume that BOTH 'User must change password at next logon' and 'User cannot change password' are not checked....
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.