Solved

"The Password on This Account cannot be changed at this time"

Posted on 2007-04-09
7
2,990 Views
Last Modified: 2012-06-27
Hi There,

I am one of many that administer a large enterprise domain.  We are currently having issues with random users unable to change their passwords upon expiration.  Initially they will get an error stating "You do not have permission to change your password". It can be changed in Active Directory but if we select "User must change password at next logon" they will then receive the error "The Password on This Account cannot be changed at this time"   This question seems to have been asked a lot and I have followed the advice given on several other threads but we still cannot move past this. We have a 2000 domain with some 2003 domain controllers.  All client machines are XP.

Our Default Domain Policy  is set to the following:

Computer Configurations | Windows Settings | Account Policies/Password Policy
Enforce password history                                          24 passwords remembered
Maximum password age                                             45 days
Minimum password age                                                0 days
Minimum Password length                                             8 characters
Password must meet complexity requirements            enabled
Sore passwords using reversible encryption              Disabled.

'Everyone' group is applied to all user objects with change password enabled.

Does anyone have any ideas?

Thanks!!

Miriam
0
Comment
Question by:karsvrop
7 Comments
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18878334
First, a technical note: if you have 2003 DCs in your domain, then you have a 2003 domain. By running forestprep and domainprep and adding a 2K3 DC, you have upgraded your domain to Windows Server 2003.

Second, you haven't specified which threads or solutions you have attempted, so this may be redundant, but...

* XP hotfix to resolve "do not have permission to change..." : http://support.microsoft.com/kb/328817

Are your XP clients running SP2?  There's a known bug in XP Service Pack 1 that can cause this behaviour.

Hope this helps.

Laura E. Hunter - Microsoft MVP: Windows Server - Networking
0
 

Author Comment

by:karsvrop
ID: 18878809
I apologize but I gave incorrect information.  We are a 2000 domain, all domain controllers are running 2000 with SP4. Please forgive my ignorance, this is my second week in this position and I am still learning the enviroment from a server perspective as I came from a support role in the organization.

All clients are running SP2 with all current updates.  This happens on any machine the user logins to, not just their own.  This does not happen to new users.  It is happening to users that try to change their password before it expires.  It happens if they select change upon login or if they go into windows and ctrl-alt-del and select change password.  

The following KBs were reviewed:

http://support.microsoft.com/kb/273004 - The min password age is set to 0.
http://support.microsoft.com/kb/328817 - restrictanonymous is not set to 2
http://support.microsoft.com/kb/812530 - restrictanonymous is not set to 2, all clients are running sp2 and NT4emulator is not enabled.

Threads reviewed:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_21443899.html?qid=21443899 - Everyone has permission to change password on all user objects in AD.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/2000/Q_21055845.html?sfQueryTermInfo=1+chang+do+have+password+permiss+you+your

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/2000/Q_20741892.html?qid=20741892

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/2000/Q_20936301.html?sfQueryTermInfo=1+chang+do+have+password+permiss+you+your

The users that cannot change their password are getting the message "Your pasword will expire in x days do you want to change your password?" they select yes and are getting the error that they do not have permission to change their password.  If we reset the password in AD or they try to change the password from windows (ctrl + alt + del | Change password) they are getting the error THe password on this account cannot be changed at this time"

Everyone is added to all user objects and change password is enabled.  Group policy Min password age is set to 0 and we are running the most current MS updates on clients.






0
 

Expert Comment

by:nagarajnoolvi
ID: 18880629
hi,
can you give us some more information like where you are applying the GPO ( OU, Site or Domain level).  The above specified problem is mainly due to the conflect in the GP, if you are assigning GPO at multiple levels then plz verify that there is not conflect in the Grop policy.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:karsvrop
ID: 18882649
We apply policy at Domain, site and OU level.

I have gone through every policy to verify conflict - the default domain policy is the only one that defines password and workstation security in our organization.
0
 
LVL 1

Expert Comment

by:Matty023
ID: 18886034
I think an important question is.. Is the porblem, who, where or another?
Is it some accounts will not change, no matter on what computer?
Is it some computers will not all any user to change the password?
Or is it a messy random mix of the 2?

If a user can't change their password on 1 computer, try other users who can change theirs on the same computer.
 etc...
It may be a useful detail to add...

Also all groups you say have permission to change passwords, but if a person is a member of a multiple groups, and 1 group for any reason is set to deny access, it will listen to a deny over every other allow clause anywhere I believe. Just as a note.
0
 

Expert Comment

by:MaximusPrime
ID: 18886814
I would also add:

Try running GPUpdate from a command prompt on the problematic computers just to make sure they have updated to the latest Group Policy settings.

Mark
0
 
LVL 5

Accepted Solution

by:
robstacey earned 500 total points
ID: 18947009
It was my understanding that password policies are only configurable in a domain level GPO in a Windows 2000 AD environment? One of the few reasons for creating different domains in my MCSE stuff was if you had a foreign office and they wanted different password complexity.  It's one of the few things that can't be set at OU level. Maybe this is confusing the security settings when people are trying to change their passwords?
This article on the MS site explains this in point 1 (This must be a group policy object linked to the entire domain)     http://support.microsoft.com/kb/225230
Remove any password settings in Group Policy Objects lower down the AD tree.
Hope this helps.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

1. Boot PC and press F10, select storage options and change the compatibility from “AHCI” to “IDE”, save and exit 2. Boot PC and press F12 3. Upon PXE display of searching for DHCP server, press Pause break to obtain MAC address 3. Open Configu…
After having deployed hundreds of thousands of Terminal Services seats worldwide, I still see all the time people asking me that same old question: "If TS/RDS is that reliable why are you telling me I should reboot it that often? My DC/SQL/Exchange/…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now