"The Password on This Account cannot be changed at this time"

Hi There,

I am one of many that administer a large enterprise domain.  We are currently having issues with random users unable to change their passwords upon expiration.  Initially they will get an error stating "You do not have permission to change your password". It can be changed in Active Directory but if we select "User must change password at next logon" they will then receive the error "The Password on This Account cannot be changed at this time"   This question seems to have been asked a lot and I have followed the advice given on several other threads but we still cannot move past this. We have a 2000 domain with some 2003 domain controllers.  All client machines are XP.

Our Default Domain Policy  is set to the following:

Computer Configurations | Windows Settings | Account Policies/Password Policy
Enforce password history                                          24 passwords remembered
Maximum password age                                             45 days
Minimum password age                                                0 days
Minimum Password length                                             8 characters
Password must meet complexity requirements            enabled
Sore passwords using reversible encryption              Disabled.

'Everyone' group is applied to all user objects with change password enabled.

Does anyone have any ideas?

Thanks!!

Miriam
karsvropAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

LauraEHunterMVPCommented:
First, a technical note: if you have 2003 DCs in your domain, then you have a 2003 domain. By running forestprep and domainprep and adding a 2K3 DC, you have upgraded your domain to Windows Server 2003.

Second, you haven't specified which threads or solutions you have attempted, so this may be redundant, but...

* XP hotfix to resolve "do not have permission to change..." : http://support.microsoft.com/kb/328817

Are your XP clients running SP2?  There's a known bug in XP Service Pack 1 that can cause this behaviour.

Hope this helps.

Laura E. Hunter - Microsoft MVP: Windows Server - Networking
0
karsvropAuthor Commented:
I apologize but I gave incorrect information.  We are a 2000 domain, all domain controllers are running 2000 with SP4. Please forgive my ignorance, this is my second week in this position and I am still learning the enviroment from a server perspective as I came from a support role in the organization.

All clients are running SP2 with all current updates.  This happens on any machine the user logins to, not just their own.  This does not happen to new users.  It is happening to users that try to change their password before it expires.  It happens if they select change upon login or if they go into windows and ctrl-alt-del and select change password.  

The following KBs were reviewed:

http://support.microsoft.com/kb/273004 - The min password age is set to 0.
http://support.microsoft.com/kb/328817 - restrictanonymous is not set to 2
http://support.microsoft.com/kb/812530 - restrictanonymous is not set to 2, all clients are running sp2 and NT4emulator is not enabled.

Threads reviewed:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_21443899.html?qid=21443899 - Everyone has permission to change password on all user objects in AD.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/2000/Q_21055845.html?sfQueryTermInfo=1+chang+do+have+password+permiss+you+your

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/2000/Q_20741892.html?qid=20741892

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/2000/Q_20936301.html?sfQueryTermInfo=1+chang+do+have+password+permiss+you+your

The users that cannot change their password are getting the message "Your pasword will expire in x days do you want to change your password?" they select yes and are getting the error that they do not have permission to change their password.  If we reset the password in AD or they try to change the password from windows (ctrl + alt + del | Change password) they are getting the error THe password on this account cannot be changed at this time"

Everyone is added to all user objects and change password is enabled.  Group policy Min password age is set to 0 and we are running the most current MS updates on clients.






0
nagarajnoolviCommented:
hi,
can you give us some more information like where you are applying the GPO ( OU, Site or Domain level).  The above specified problem is mainly due to the conflect in the GP, if you are assigning GPO at multiple levels then plz verify that there is not conflect in the Grop policy.
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

karsvropAuthor Commented:
We apply policy at Domain, site and OU level.

I have gone through every policy to verify conflict - the default domain policy is the only one that defines password and workstation security in our organization.
0
Matty023Commented:
I think an important question is.. Is the porblem, who, where or another?
Is it some accounts will not change, no matter on what computer?
Is it some computers will not all any user to change the password?
Or is it a messy random mix of the 2?

If a user can't change their password on 1 computer, try other users who can change theirs on the same computer.
 etc...
It may be a useful detail to add...

Also all groups you say have permission to change passwords, but if a person is a member of a multiple groups, and 1 group for any reason is set to deny access, it will listen to a deny over every other allow clause anywhere I believe. Just as a note.
0
MaximusPrimeCommented:
I would also add:

Try running GPUpdate from a command prompt on the problematic computers just to make sure they have updated to the latest Group Policy settings.

Mark
0
robstaceyCommented:
It was my understanding that password policies are only configurable in a domain level GPO in a Windows 2000 AD environment? One of the few reasons for creating different domains in my MCSE stuff was if you had a foreign office and they wanted different password complexity.  It's one of the few things that can't be set at OU level. Maybe this is confusing the security settings when people are trying to change their passwords?
This article on the MS site explains this in point 1 (This must be a group policy object linked to the entire domain)     http://support.microsoft.com/kb/225230
Remove any password settings in Group Policy Objects lower down the AD tree.
Hope this helps.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.