?
Solved

User is asked to change password on first logon and does not have the right

Posted on 2003-11-12
4
Medium Priority
?
1,469 Views
Last Modified: 2010-05-18
Have asked that users change their password on first logon on a windows 2000 server. When they change it they are told they do not have permission to change their password. As far as I can tell, they should be able to. I am kind of in a catch 22 here, does anyone have any idea what I might have done?
0
Comment
Question by:nt2kman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 2

Accepted Solution

by:
Mihailo earned 500 total points
ID: 9735943
http://www.jsiinc.com/SUBO/tip7300/rh7344.htm

7344 » When a domain user attempts to change their password during logon, they receive 'You do not have permission to change your password'?


The subject behavior will occur if both the following are true:

- You enabled the User must change password at next logon option.

- The Everyone group and/or the Authenticated Users group does NOT have the Access this computer from the network rights on an authenticating domain controller.

To resolve this problem:

1. Open the Active Directory Users and Computers snap-in.

2. Right-click the Domain Controllers container and press Properties.

3. Select the Group Policy tab.

4. Select the Default Domain Controllers Policy and press the Edit button.

5. Navigate through Computer Configuration / Windows Settings / Security Settings / Local Policies / User Rights Assignment.

6. Double-click Access this computer from the network.

7. If either the Everyone or Authenticated Users group is missing, add them and press OK. 8. Close the Properties dialog and exit the snap-in.

9. On a domain controller, run SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE.

NOTE: For Windows Server 2003, run gpudate /Target:Computer.

NOTE: See Some users can't change their password without logging onto the Windows 2000 domain?
0
 
LVL 12

Expert Comment

by:mburdick
ID: 9736542
In the same area mentioned above, you may need to adjust "Additional Restrictions for Anonymous Connections". If this is set to "No access without explicit anonymous access permissions", you will need to back that off to "Do not allow enumeration of SAM accounts and shares".

This is a documented issue at Microsoft.
0
 
LVL 5

Expert Comment

by:ralonso
ID: 9740985
In AD, you may also need to find the user account in AD.
Check properties->permissions->advanced
There should be an entry saying that user "SELF" has the right to change password for the account

The group "Everyone" Should also have permission to change password for the user account (I'm not inventing, is documented by microsoft)

http://support.microsoft.com/?kbid=242795
0
 
LVL 4

Expert Comment

by:darth_wannabe
ID: 9741498
I assume that BOTH 'User must change password at next logon' and 'User cannot change password' are not checked....
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In this modest contribution, I want to share with the IT community (especially system administrators, IT Support Engineers and IT Help Desks) about Windows crashes/hangs and how to deal with these particular problems.
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question