User recieves "You do not have permission to change your password" when warned that password will expire in X days.

http://www.mike-tech.com/article.php?gif=win2k&article=165

You Do Not Have Permission To Change Your Password (05-05-2002)
--------------------------------------------------------------------------------
If you use a password policy in your Windows 2000 domain, Active Directory users may receive "You do not have permission to change your password" when they attempt to change their password in response to a password change notification.

Chances are that the Everyone group has not been granted the right to Change Password on the User object.

1. In the Active Directory Users and Computers snap-in, right-click your domain.

2. On the View menu, select Advanced Features

3. Right-click the OU hosting the user object and press Properties

4. On the Security tab, if the Everyone group is not present in the Name box, Press "Advanced" and Add it

5. On the Advanced tab, select the Everyone group

6. Press View/Edit and select "User Objects" in the Apply onto box

7. In the Permissions list, check the Change Password permission "Allow" box

8. Press OK and/or Apply till you are finished

http://www.jsiinc.com/SUBO/tip7300/rh7344.htm

7344 » When a domain user attempts to change their password during logon, they receive 'You do not have permission to change your password'?

The subject behavior will occur if both the following are true:

- You enabled the User must change password at next logon option.

- The Everyone group and/or the Authenticated Users group does NOT have the Access this computer from the network rights on an authenticating domain controller.

To resolve this problem:

1. Open the Active Directory Users and Computers snap-in.

2. Right-click the Domain Controllers container and press Properties.

3. Select the Group Policy tab.

4. Select the Default Domain Controllers Policy and press the Edit button.

5. Navigate through Computer Configuration / Windows Settings / Security Settings / Local Policies / User Rights Assignment.

6. Double-click Access this computer from the network.

7. If either the Everyone or Authenticated Users group is missing, add them and press OK. 8. Close the Properties dialog and exit the snap-in.

9. On a domain controller, run SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE.

NOTE: For Windows Server 2003, run gpudate /Target:Computer.

OK, both of these are configured correctly.  The permissions are there.

I checked all of these settings based on these and other articles I have found.  There has to be something else.

crazyone how do you get to questions so quickly? do you have something that notifies you if a new question has been asked or do you refresh the webpage like every 30 seconds?  :)

how about the length of password ? do you change the default setting? > 6 characters long, uppercase, lowercase, number, nonalphanumeric...

I had to open a ticket with Microsoft on this one.  We are running in mixed mode.  There was one registry key that was changed that had to be reset.  

PROBLEM
============

Users cannot change password until they log on to the system.


RESOLUTION
============

The issue is related to the registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous

After changing its value from 2 to 0, the original issue is solved.