Link to home
Start Free TrialLog in
Avatar of NaveedAnwar
NaveedAnwar

asked on

NOT able to change password when user are being promted that there password has exptred

"you don`t have permission to change your password".

It only happens when there passwords are expiring an dbeing pronpted to change if you change the password without expiration notification it works

Any ideas why this would happen?
Avatar of juliancrawford
juliancrawford
It sounds like a group policy setting would be doing this - are the users affected all part of the same group?
ASKER CERTIFIED SOLUTION
Avatar of graye
graye
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of bbao
bbao
Flag of Australia image
if you did not apply latest service pack to the windows 2000 server, i think the problem should be caused a bug of the operating system. anyway, the bug has been fixed. for more information, please refer the MSKB article at:

Kerberos Change Password Does Not Work When Account Password Expires
http://support.microsoft.com/?id=kb;en-us;253532

additionally, there are other two similar articles for your reference too:

"The Password Cannot Be Changed at This Time" Error Message When You Try to Change a User's Password
http://support.microsoft.com/?id=kb;en-us;273004

User May Not Be Able to Change Their Password If You Configure the 'User Must Change Password at Next Logon' Setting
http://support.microsoft.com/?id=kb;en-us;320325

hope it helps,
bbao
Avatar of NetwerkMerc
NetwerkMerc
I agree that it sounds like GP or local system policy.  Minimum password lifespan vs expiration reminder...things like that

-Or-

Check that the user (i.e. "self") can change their password.   Shounds like it is explicitly denied.  AD users and computers->users-> right-click properties on "username"->Security tab->under "groups or user name" look for "SELF" and check the change password permission below.  It is either explicitly denied or implicitly denied via inheritance.

-Eric
Security and Virus forum moderator at ComputerRepair.com
<edited by YensidMod>
Avatar of graye
graye
Flag of United States of America image
This is more common that you might think in a mixed-mode domain...  where the account policies in WinNT apply
Avatar of bbao
bbao
Flag of Australia image
graye, o? how to solve it then?
Avatar of graye
graye
Flag of United States of America image
We've found no solution (other than what I described above... teach the users to ignore that prompt and change their password only after they're completely logged in).

BTW:  NaveedAnwar hasn't confirmed that he's runing a WinNT-Win2k mixed-mode domain (so I might be completely off)
Avatar of NetwerkMerc
NetwerkMerc
I know by default in a 2003 native, a "blank" use by default cannot change their password.  Not through specific account settings, rather security on the user object.  If it is mixed, most auth. request try to make use of 2k, if there is an explicit deny 2k will NOT query NT4, becuase it already has an explicit answer.  If the clients are NT4, the directory services client NEEDS to be installed and appropriate logon policy needs to be configured (ie NTLM) as well.  Once everyone is loggin in fine, you can look at tightening auth. methods, forcing kerberos, more restrictive account, user, group policies.  If there is little invested in policies, try scraping them.  But this is permission or policy caused.

dcgpofix /both

-Eric
Security and Virus forum moderator at ComputerRepair.com
<edited by YensidMod>
 
Avatar of bbao
bbao
Flag of Australia image
a lot of users complain similar problems like what this question described, maybe caused by simiar reasons...
NaveedAnwar, how are things?
Avatar of NetwerkMerc
NetwerkMerc
Is this thing on?  Please reply or close the topic.

-Eric