Solved

User recieves "You do not have permission to change your password" when warned that password will expire in X days.

Posted on 2004-03-29
9
249 Views
Last Modified: 2010-04-13
When the user logs on they get a warning that their password will expire in X days, would you like to change it now.  When they try they get a "You do not have permission" error.  If they log in to the machine, they can change theor password through the old Ctrl-alt-del menu.

I have checked the domail controller policy and the allow access object has everyone and authenticated users.

Help!

0
Comment
Question by:scwerntz
9 Comments
 
LVL 44

Expert Comment

by:CrazyOne
ID: 10707086
http://www.mike-tech.com/article.php?gif=win2k&article=165

You Do Not Have Permission To Change Your Password (05-05-2002)
--------------------------------------------------------------------------------
If you use a password policy in your Windows 2000 domain, Active Directory users may receive "You do not have permission to change your password" when they attempt to change their password in response to a password change notification.

Chances are that the Everyone group has not been granted the right to Change Password on the User object.

1. In the Active Directory Users and Computers snap-in, right-click your domain.

2. On the View menu, select Advanced Features

3. Right-click the OU hosting the user object and press Properties

4. On the Security tab, if the Everyone group is not present in the Name box, Press "Advanced" and Add it

5. On the Advanced tab, select the Everyone group

6. Press View/Edit and select "User Objects" in the Apply onto box

7. In the Permissions list, check the Change Password permission "Allow" box

8. Press OK and/or Apply till you are finished
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 10707149
http://www.jsiinc.com/SUBO/tip7300/rh7344.htm

7344 » When a domain user attempts to change their password during logon, they receive 'You do not have permission to change your password'?

The subject behavior will occur if both the following are true:

- You enabled the User must change password at next logon option.

- The Everyone group and/or the Authenticated Users group does NOT have the Access this computer from the network rights on an authenticating domain controller.

To resolve this problem:

1. Open the Active Directory Users and Computers snap-in.

2. Right-click the Domain Controllers container and press Properties.

3. Select the Group Policy tab.

4. Select the Default Domain Controllers Policy and press the Edit button.

5. Navigate through Computer Configuration / Windows Settings / Security Settings / Local Policies / User Rights Assignment.

6. Double-click Access this computer from the network.

7. If either the Everyone or Authenticated Users group is missing, add them and press OK. 8. Close the Properties dialog and exit the snap-in.

9. On a domain controller, run SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE.

NOTE: For Windows Server 2003, run gpudate /Target:Computer.
0
 
LVL 1

Author Comment

by:scwerntz
ID: 10707224
OK, both of these are configured correctly.  The permissions are there.
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 1

Author Comment

by:scwerntz
ID: 10707236
I checked all of these settings based on these and other articles I have found.  There has to be something else.
0
 
LVL 1

Expert Comment

by:justinm99
ID: 10707416
crazyone how do you get to questions so quickly? do you have something that notifies you if a new question has been asked or do you refresh the webpage like every 30 seconds?  :)
0
 
LVL 3

Expert Comment

by:fajar79
ID: 10709930
how about the length of password ? do you change the default setting? > 6 characters long, uppercase, lowercase, number, nonalphanumeric...
0
 
LVL 1

Author Comment

by:scwerntz
ID: 11326290
I had to open a ticket with Microsoft on this one.  We are running in mixed mode.  There was one registry key that was changed that had to be reset.  

PROBLEM
============

Users cannot change password until they log on to the system.


RESOLUTION
============

The issue is related to the registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous

After changing its value from 2 to 0, the original issue is solved.
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 11518530
PAQed, with points refunded (250)

Computer101
E-E Admin
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This problem is more common than not and I will show you some things to check to solve this problem.
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question