karsvrop
asked on
"The Password on This Account cannot be changed at this time"
Hi There,
I am one of many that administer a large enterprise domain. We are currently having issues with random users unable to change their passwords upon expiration. Initially they will get an error stating "You do not have permission to change your password". It can be changed in Active Directory but if we select "User must change password at next logon" they will then receive the error "The Password on This Account cannot be changed at this time" This question seems to have been asked a lot and I have followed the advice given on several other threads but we still cannot move past this. We have a 2000 domain with some 2003 domain controllers. All client machines are XP.
Our Default Domain Policy is set to the following:
Computer Configurations | Windows Settings | Account Policies/Password Policy
Enforce password history 24 passwords remembered
Maximum password age 45 days
Minimum password age 0 days
Minimum Password length 8 characters
Password must meet complexity requirements enabled
Sore passwords using reversible encryption Disabled.
'Everyone' group is applied to all user objects with change password enabled.
Does anyone have any ideas?
Thanks!!
Miriam
I am one of many that administer a large enterprise domain. We are currently having issues with random users unable to change their passwords upon expiration. Initially they will get an error stating "You do not have permission to change your password". It can be changed in Active Directory but if we select "User must change password at next logon" they will then receive the error "The Password on This Account cannot be changed at this time" This question seems to have been asked a lot and I have followed the advice given on several other threads but we still cannot move past this. We have a 2000 domain with some 2003 domain controllers. All client machines are XP.
Our Default Domain Policy is set to the following:
Computer Configurations | Windows Settings | Account Policies/Password Policy
Enforce password history 24 passwords remembered
Maximum password age 45 days
Minimum password age 0 days
Minimum Password length 8 characters
Password must meet complexity requirements enabled
Sore passwords using reversible encryption Disabled.
'Everyone' group is applied to all user objects with change password enabled.
Does anyone have any ideas?
Thanks!!
Miriam
ASKER
I apologize but I gave incorrect information. We are a 2000 domain, all domain controllers are running 2000 with SP4. Please forgive my ignorance, this is my second week in this position and I am still learning the enviroment from a server perspective as I came from a support role in the organization.
All clients are running SP2 with all current updates. This happens on any machine the user logins to, not just their own. This does not happen to new users. It is happening to users that try to change their password before it expires. It happens if they select change upon login or if they go into windows and ctrl-alt-del and select change password.
The following KBs were reviewed:
http://support.microsoft.com/kb/273004 - The min password age is set to 0.
http://support.microsoft.com/kb/328817 - restrictanonymous is not set to 2
http://support.microsoft.com/kb/812530 - restrictanonymous is not set to 2, all clients are running sp2 and NT4emulator is not enabled.
Threads reviewed:
https://www.experts-exchange.com/questions/21443899/You-do-not-have-permission-to-change-your-password.html?qid=21443899 - Everyone has permission to change password on all user objects in AD.
https://www.experts-exchange.com/questions/21055845/You-do-not-have-permission-to-change-your-password.html?sfQueryTermInfo=1+chang+do+have+password+permiss+you+your
https://www.experts-exchange.com/questions/20741892/no-permission-to-change-domain-password.html?qid=20741892
https://www.experts-exchange.com/questions/20936301/User-recieves-You-do-not-have-permission-to-change-your-password-when-warned-that-password-will-expire-in-X-days.html?sfQueryTermInfo=1+chang+do+have+password+permiss+you+your
The users that cannot change their password are getting the message "Your pasword will expire in x days do you want to change your password?" they select yes and are getting the error that they do not have permission to change their password. If we reset the password in AD or they try to change the password from windows (ctrl + alt + del | Change password) they are getting the error THe password on this account cannot be changed at this time"
Everyone is added to all user objects and change password is enabled. Group policy Min password age is set to 0 and we are running the most current MS updates on clients.
All clients are running SP2 with all current updates. This happens on any machine the user logins to, not just their own. This does not happen to new users. It is happening to users that try to change their password before it expires. It happens if they select change upon login or if they go into windows and ctrl-alt-del and select change password.
The following KBs were reviewed:
http://support.microsoft.com/kb/273004 - The min password age is set to 0.
http://support.microsoft.com/kb/328817 - restrictanonymous is not set to 2
http://support.microsoft.com/kb/812530 - restrictanonymous is not set to 2, all clients are running sp2 and NT4emulator is not enabled.
Threads reviewed:
https://www.experts-exchange.com/questions/21443899/You-do-not-have-permission-to-change-your-password.html?qid=21443899 - Everyone has permission to change password on all user objects in AD.
https://www.experts-exchange.com/questions/21055845/You-do-not-have-permission-to-change-your-password.html?sfQueryTermInfo=1+chang+do+have+password+permiss+you+your
https://www.experts-exchange.com/questions/20741892/no-permission-to-change-domain-password.html?qid=20741892
https://www.experts-exchange.com/questions/20936301/User-recieves-You-do-not-have-permission-to-change-your-password-when-warned-that-password-will-expire-in-X-days.html?sfQueryTermInfo=1+chang+do+have+password+permiss+you+your
The users that cannot change their password are getting the message "Your pasword will expire in x days do you want to change your password?" they select yes and are getting the error that they do not have permission to change their password. If we reset the password in AD or they try to change the password from windows (ctrl + alt + del | Change password) they are getting the error THe password on this account cannot be changed at this time"
Everyone is added to all user objects and change password is enabled. Group policy Min password age is set to 0 and we are running the most current MS updates on clients.
hi,
can you give us some more information like where you are applying the GPO ( OU, Site or Domain level). The above specified problem is mainly due to the conflect in the GP, if you are assigning GPO at multiple levels then plz verify that there is not conflect in the Grop policy.
can you give us some more information like where you are applying the GPO ( OU, Site or Domain level). The above specified problem is mainly due to the conflect in the GP, if you are assigning GPO at multiple levels then plz verify that there is not conflect in the Grop policy.
ASKER
We apply policy at Domain, site and OU level.
I have gone through every policy to verify conflict - the default domain policy is the only one that defines password and workstation security in our organization.
I have gone through every policy to verify conflict - the default domain policy is the only one that defines password and workstation security in our organization.
I think an important question is.. Is the porblem, who, where or another?
Is it some accounts will not change, no matter on what computer?
Is it some computers will not all any user to change the password?
Or is it a messy random mix of the 2?
If a user can't change their password on 1 computer, try other users who can change theirs on the same computer.
etc...
It may be a useful detail to add...
Also all groups you say have permission to change passwords, but if a person is a member of a multiple groups, and 1 group for any reason is set to deny access, it will listen to a deny over every other allow clause anywhere I believe. Just as a note.
Is it some accounts will not change, no matter on what computer?
Is it some computers will not all any user to change the password?
Or is it a messy random mix of the 2?
If a user can't change their password on 1 computer, try other users who can change theirs on the same computer.
etc...
It may be a useful detail to add...
Also all groups you say have permission to change passwords, but if a person is a member of a multiple groups, and 1 group for any reason is set to deny access, it will listen to a deny over every other allow clause anywhere I believe. Just as a note.
I would also add:
Try running GPUpdate from a command prompt on the problematic computers just to make sure they have updated to the latest Group Policy settings.
Mark
Try running GPUpdate from a command prompt on the problematic computers just to make sure they have updated to the latest Group Policy settings.
Mark
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Second, you haven't specified which threads or solutions you have attempted, so this may be redundant, but...
* XP hotfix to resolve "do not have permission to change..." : http://support.microsoft.com/kb/328817
Are your XP clients running SP2? There's a known bug in XP Service Pack 1 that can cause this behaviour.
Hope this helps.
Laura E. Hunter - Microsoft MVP: Windows Server - Networking