Solved

"The Password on This Account cannot be changed at this time"

Posted on 2007-04-09
7
3,156 Views
Last Modified: 2012-06-27
Hi There,

I am one of many that administer a large enterprise domain.  We are currently having issues with random users unable to change their passwords upon expiration.  Initially they will get an error stating "You do not have permission to change your password". It can be changed in Active Directory but if we select "User must change password at next logon" they will then receive the error "The Password on This Account cannot be changed at this time"   This question seems to have been asked a lot and I have followed the advice given on several other threads but we still cannot move past this. We have a 2000 domain with some 2003 domain controllers.  All client machines are XP.

Our Default Domain Policy  is set to the following:

Computer Configurations | Windows Settings | Account Policies/Password Policy
Enforce password history                                          24 passwords remembered
Maximum password age                                             45 days
Minimum password age                                                0 days
Minimum Password length                                             8 characters
Password must meet complexity requirements            enabled
Sore passwords using reversible encryption              Disabled.

'Everyone' group is applied to all user objects with change password enabled.

Does anyone have any ideas?

Thanks!!

Miriam
0
Comment
Question by:karsvrop
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18878334
First, a technical note: if you have 2003 DCs in your domain, then you have a 2003 domain. By running forestprep and domainprep and adding a 2K3 DC, you have upgraded your domain to Windows Server 2003.

Second, you haven't specified which threads or solutions you have attempted, so this may be redundant, but...

* XP hotfix to resolve "do not have permission to change..." : http://support.microsoft.com/kb/328817

Are your XP clients running SP2?  There's a known bug in XP Service Pack 1 that can cause this behaviour.

Hope this helps.

Laura E. Hunter - Microsoft MVP: Windows Server - Networking
0
 

Author Comment

by:karsvrop
ID: 18878809
I apologize but I gave incorrect information.  We are a 2000 domain, all domain controllers are running 2000 with SP4. Please forgive my ignorance, this is my second week in this position and I am still learning the enviroment from a server perspective as I came from a support role in the organization.

All clients are running SP2 with all current updates.  This happens on any machine the user logins to, not just their own.  This does not happen to new users.  It is happening to users that try to change their password before it expires.  It happens if they select change upon login or if they go into windows and ctrl-alt-del and select change password.  

The following KBs were reviewed:

http://support.microsoft.com/kb/273004 - The min password age is set to 0.
http://support.microsoft.com/kb/328817 - restrictanonymous is not set to 2
http://support.microsoft.com/kb/812530 - restrictanonymous is not set to 2, all clients are running sp2 and NT4emulator is not enabled.

Threads reviewed:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_21443899.html?qid=21443899 - Everyone has permission to change password on all user objects in AD.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/2000/Q_21055845.html?sfQueryTermInfo=1+chang+do+have+password+permiss+you+your

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/2000/Q_20741892.html?qid=20741892

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/2000/Q_20936301.html?sfQueryTermInfo=1+chang+do+have+password+permiss+you+your

The users that cannot change their password are getting the message "Your pasword will expire in x days do you want to change your password?" they select yes and are getting the error that they do not have permission to change their password.  If we reset the password in AD or they try to change the password from windows (ctrl + alt + del | Change password) they are getting the error THe password on this account cannot be changed at this time"

Everyone is added to all user objects and change password is enabled.  Group policy Min password age is set to 0 and we are running the most current MS updates on clients.






0
 

Expert Comment

by:nagarajnoolvi
ID: 18880629
hi,
can you give us some more information like where you are applying the GPO ( OU, Site or Domain level).  The above specified problem is mainly due to the conflect in the GP, if you are assigning GPO at multiple levels then plz verify that there is not conflect in the Grop policy.
0
PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

 

Author Comment

by:karsvrop
ID: 18882649
We apply policy at Domain, site and OU level.

I have gone through every policy to verify conflict - the default domain policy is the only one that defines password and workstation security in our organization.
0
 
LVL 1

Expert Comment

by:Matty023
ID: 18886034
I think an important question is.. Is the porblem, who, where or another?
Is it some accounts will not change, no matter on what computer?
Is it some computers will not all any user to change the password?
Or is it a messy random mix of the 2?

If a user can't change their password on 1 computer, try other users who can change theirs on the same computer.
 etc...
It may be a useful detail to add...

Also all groups you say have permission to change passwords, but if a person is a member of a multiple groups, and 1 group for any reason is set to deny access, it will listen to a deny over every other allow clause anywhere I believe. Just as a note.
0
 

Expert Comment

by:MaximusPrime
ID: 18886814
I would also add:

Try running GPUpdate from a command prompt on the problematic computers just to make sure they have updated to the latest Group Policy settings.

Mark
0
 
LVL 5

Accepted Solution

by:
robstacey earned 500 total points
ID: 18947009
It was my understanding that password policies are only configurable in a domain level GPO in a Windows 2000 AD environment? One of the few reasons for creating different domains in my MCSE stuff was if you had a foreign office and they wanted different password complexity.  It's one of the few things that can't be set at OU level. Maybe this is confusing the security settings when people are trying to change their passwords?
This article on the MS site explains this in point 1 (This must be a group policy object linked to the entire domain)     http://support.microsoft.com/kb/225230
Remove any password settings in Group Policy Objects lower down the AD tree.
Hope this helps.
0

Featured Post

Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Remote Desktop Protocol or RDP has become an essential tool in many offices. This article will show you how to set up an external IP to point directly to an RDP session. There are many reasons why this is beneficial but perhaps the top reason is con…
Problem Description: Actually I found the below issue with some customers after migration from SMS 2003 to SCCM 2007 and epically if they change site code, some clients may appear in the console with old site code, plus old sites still appearing …
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question