User recieves "You do not have permission to change your password" when warned that password will expire in X days.

When the user logs on they get a warning that their password will expire in X days, would you like to change it now.  When they try they get a "You do not have permission" error.  If they log in to the machine, they can change theor password through the old Ctrl-alt-del menu.

I have checked the domail controller policy and the allow access object has everyone and authenticated users.

Help!

LVL 1
scwerntzAsked:
Who is Participating?
 
Computer101Commented:
PAQed, with points refunded (250)

Computer101
E-E Admin
0
 
CrazyOneCommented:
http://www.mike-tech.com/article.php?gif=win2k&article=165

You Do Not Have Permission To Change Your Password (05-05-2002)
--------------------------------------------------------------------------------
If you use a password policy in your Windows 2000 domain, Active Directory users may receive "You do not have permission to change your password" when they attempt to change their password in response to a password change notification.

Chances are that the Everyone group has not been granted the right to Change Password on the User object.

1. In the Active Directory Users and Computers snap-in, right-click your domain.

2. On the View menu, select Advanced Features

3. Right-click the OU hosting the user object and press Properties

4. On the Security tab, if the Everyone group is not present in the Name box, Press "Advanced" and Add it

5. On the Advanced tab, select the Everyone group

6. Press View/Edit and select "User Objects" in the Apply onto box

7. In the Permissions list, check the Change Password permission "Allow" box

8. Press OK and/or Apply till you are finished
0
 
CrazyOneCommented:
http://www.jsiinc.com/SUBO/tip7300/rh7344.htm

7344 » When a domain user attempts to change their password during logon, they receive 'You do not have permission to change your password'?

The subject behavior will occur if both the following are true:

- You enabled the User must change password at next logon option.

- The Everyone group and/or the Authenticated Users group does NOT have the Access this computer from the network rights on an authenticating domain controller.

To resolve this problem:

1. Open the Active Directory Users and Computers snap-in.

2. Right-click the Domain Controllers container and press Properties.

3. Select the Group Policy tab.

4. Select the Default Domain Controllers Policy and press the Edit button.

5. Navigate through Computer Configuration / Windows Settings / Security Settings / Local Policies / User Rights Assignment.

6. Double-click Access this computer from the network.

7. If either the Everyone or Authenticated Users group is missing, add them and press OK. 8. Close the Properties dialog and exit the snap-in.

9. On a domain controller, run SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE.

NOTE: For Windows Server 2003, run gpudate /Target:Computer.
0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
scwerntzAuthor Commented:
OK, both of these are configured correctly.  The permissions are there.
0
 
scwerntzAuthor Commented:
I checked all of these settings based on these and other articles I have found.  There has to be something else.
0
 
justinm99Commented:
crazyone how do you get to questions so quickly? do you have something that notifies you if a new question has been asked or do you refresh the webpage like every 30 seconds?  :)
0
 
fajar79Commented:
how about the length of password ? do you change the default setting? > 6 characters long, uppercase, lowercase, number, nonalphanumeric...
0
 
scwerntzAuthor Commented:
I had to open a ticket with Microsoft on this one.  We are running in mixed mode.  There was one registry key that was changed that had to be reset.  

PROBLEM
============

Users cannot change password until they log on to the system.


RESOLUTION
============

The issue is related to the registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous

After changing its value from 2 to 0, the original issue is solved.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.