Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

NOT able to change password when user are being promted that there password has exptred

Posted on 2003-11-26
10
Medium Priority
?
853 Views
Last Modified: 2013-12-04
"you don`t have permission to change your password".

It only happens when there passwords are expiring an dbeing pronpted to change if you change the password without expiration notification it works

Any ideas why this would happen?
0
Comment
Question by:NaveedAnwar
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 3
  • +1
10 Comments
 
LVL 5

Expert Comment

by:juliancrawford
ID: 9827342
It sounds like a group policy setting would be doing this - are the users affected all part of the same group?
0
 
LVL 41

Accepted Solution

by:
graye earned 1500 total points
ID: 9828772
I've seen this happen before... in a mixed-mode domain after we "hardened" the servers.

Yes it's a bit strange, since there is a catch22.   After a user types in their UserID and Password, they are immediately prompted with a "it's about to expire, would you like to change it now" message.  However, the user hasn't really been fully authenticated at this point.  So, no... they don't have permission to change their password (because they can't enumerate the list of users on the domain anoymously like they did before the hardending).

The solution is to tell your users to ignore that prompt, and only after they're completely logged in, do the CTRL-ALT-DEL and press the "change password" button.  (Either that, or relax security a bit)

We've tried to figure out how to stop that message from poping up... but we gave up.
0
 
LVL 37

Expert Comment

by:bbao
ID: 9832620
if you did not apply latest service pack to the windows 2000 server, i think the problem should be caused a bug of the operating system. anyway, the bug has been fixed. for more information, please refer the MSKB article at:

Kerberos Change Password Does Not Work When Account Password Expires
http://support.microsoft.com/?id=kb;en-us;253532

additionally, there are other two similar articles for your reference too:

"The Password Cannot Be Changed at This Time" Error Message When You Try to Change a User's Password
http://support.microsoft.com/?id=kb;en-us;273004

User May Not Be Able to Change Their Password If You Configure the 'User Must Change Password at Next Logon' Setting
http://support.microsoft.com/?id=kb;en-us;320325

hope it helps,
bbao
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 1

Expert Comment

by:NetwerkMerc
ID: 9849546
I agree that it sounds like GP or local system policy.  Minimum password lifespan vs expiration reminder...things like that

-Or-

Check that the user (i.e. "self") can change their password.   Shounds like it is explicitly denied.  AD users and computers->users-> right-click properties on "username"->Security tab->under "groups or user name" look for "SELF" and check the change password permission below.  It is either explicitly denied or implicitly denied via inheritance.

-Eric
Security and Virus forum moderator at ComputerRepair.com
<edited by YensidMod>
0
 
LVL 41

Expert Comment

by:graye
ID: 9849968
This is more common that you might think in a mixed-mode domain...  where the account policies in WinNT apply
0
 
LVL 37

Expert Comment

by:bbao
ID: 9849988
graye, o? how to solve it then?
0
 
LVL 41

Expert Comment

by:graye
ID: 9850013
We've found no solution (other than what I described above... teach the users to ignore that prompt and change their password only after they're completely logged in).

BTW:  NaveedAnwar hasn't confirmed that he's runing a WinNT-Win2k mixed-mode domain (so I might be completely off)
0
 
LVL 1

Expert Comment

by:NetwerkMerc
ID: 9850391
I know by default in a 2003 native, a "blank" use by default cannot change their password.  Not through specific account settings, rather security on the user object.  If it is mixed, most auth. request try to make use of 2k, if there is an explicit deny 2k will NOT query NT4, becuase it already has an explicit answer.  If the clients are NT4, the directory services client NEEDS to be installed and appropriate logon policy needs to be configured (ie NTLM) as well.  Once everyone is loggin in fine, you can look at tightening auth. methods, forcing kerberos, more restrictive account, user, group policies.  If there is little invested in policies, try scraping them.  But this is permission or policy caused.

dcgpofix /both

-Eric
Security and Virus forum moderator at ComputerRepair.com
<edited by YensidMod>
 
0
 
LVL 37

Expert Comment

by:bbao
ID: 9895548
a lot of users complain similar problems like what this question described, maybe caused by simiar reasons...
NaveedAnwar, how are things?
0
 
LVL 1

Expert Comment

by:NetwerkMerc
ID: 10249820
Is this thing on?  Please reply or close the topic.

-Eric
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question