Solved

"The Password on This Account cannot be changed at this time"

Posted on 2007-04-09
7
3,021 Views
Last Modified: 2012-06-27
Hi There,

I am one of many that administer a large enterprise domain.  We are currently having issues with random users unable to change their passwords upon expiration.  Initially they will get an error stating "You do not have permission to change your password". It can be changed in Active Directory but if we select "User must change password at next logon" they will then receive the error "The Password on This Account cannot be changed at this time"   This question seems to have been asked a lot and I have followed the advice given on several other threads but we still cannot move past this. We have a 2000 domain with some 2003 domain controllers.  All client machines are XP.

Our Default Domain Policy  is set to the following:

Computer Configurations | Windows Settings | Account Policies/Password Policy
Enforce password history                                          24 passwords remembered
Maximum password age                                             45 days
Minimum password age                                                0 days
Minimum Password length                                             8 characters
Password must meet complexity requirements            enabled
Sore passwords using reversible encryption              Disabled.

'Everyone' group is applied to all user objects with change password enabled.

Does anyone have any ideas?

Thanks!!

Miriam
0
Comment
Question by:karsvrop
7 Comments
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18878334
First, a technical note: if you have 2003 DCs in your domain, then you have a 2003 domain. By running forestprep and domainprep and adding a 2K3 DC, you have upgraded your domain to Windows Server 2003.

Second, you haven't specified which threads or solutions you have attempted, so this may be redundant, but...

* XP hotfix to resolve "do not have permission to change..." : http://support.microsoft.com/kb/328817

Are your XP clients running SP2?  There's a known bug in XP Service Pack 1 that can cause this behaviour.

Hope this helps.

Laura E. Hunter - Microsoft MVP: Windows Server - Networking
0
 

Author Comment

by:karsvrop
ID: 18878809
I apologize but I gave incorrect information.  We are a 2000 domain, all domain controllers are running 2000 with SP4. Please forgive my ignorance, this is my second week in this position and I am still learning the enviroment from a server perspective as I came from a support role in the organization.

All clients are running SP2 with all current updates.  This happens on any machine the user logins to, not just their own.  This does not happen to new users.  It is happening to users that try to change their password before it expires.  It happens if they select change upon login or if they go into windows and ctrl-alt-del and select change password.  

The following KBs were reviewed:

http://support.microsoft.com/kb/273004 - The min password age is set to 0.
http://support.microsoft.com/kb/328817 - restrictanonymous is not set to 2
http://support.microsoft.com/kb/812530 - restrictanonymous is not set to 2, all clients are running sp2 and NT4emulator is not enabled.

Threads reviewed:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_21443899.html?qid=21443899 - Everyone has permission to change password on all user objects in AD.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/2000/Q_21055845.html?sfQueryTermInfo=1+chang+do+have+password+permiss+you+your

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/2000/Q_20741892.html?qid=20741892

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/2000/Q_20936301.html?sfQueryTermInfo=1+chang+do+have+password+permiss+you+your

The users that cannot change their password are getting the message "Your pasword will expire in x days do you want to change your password?" they select yes and are getting the error that they do not have permission to change their password.  If we reset the password in AD or they try to change the password from windows (ctrl + alt + del | Change password) they are getting the error THe password on this account cannot be changed at this time"

Everyone is added to all user objects and change password is enabled.  Group policy Min password age is set to 0 and we are running the most current MS updates on clients.






0
 

Expert Comment

by:nagarajnoolvi
ID: 18880629
hi,
can you give us some more information like where you are applying the GPO ( OU, Site or Domain level).  The above specified problem is mainly due to the conflect in the GP, if you are assigning GPO at multiple levels then plz verify that there is not conflect in the Grop policy.
0
Too many email signature changes to deal with?

Are you constantly being asked to update your organization's email signatures? Do they take up too much of your time? Wouldn't you love to be able to manage all signatures from one central location, easily design them and deploy them quickly to users. Well, you can!

 

Author Comment

by:karsvrop
ID: 18882649
We apply policy at Domain, site and OU level.

I have gone through every policy to verify conflict - the default domain policy is the only one that defines password and workstation security in our organization.
0
 
LVL 1

Expert Comment

by:Matty023
ID: 18886034
I think an important question is.. Is the porblem, who, where or another?
Is it some accounts will not change, no matter on what computer?
Is it some computers will not all any user to change the password?
Or is it a messy random mix of the 2?

If a user can't change their password on 1 computer, try other users who can change theirs on the same computer.
 etc...
It may be a useful detail to add...

Also all groups you say have permission to change passwords, but if a person is a member of a multiple groups, and 1 group for any reason is set to deny access, it will listen to a deny over every other allow clause anywhere I believe. Just as a note.
0
 

Expert Comment

by:MaximusPrime
ID: 18886814
I would also add:

Try running GPUpdate from a command prompt on the problematic computers just to make sure they have updated to the latest Group Policy settings.

Mark
0
 
LVL 5

Accepted Solution

by:
robstacey earned 500 total points
ID: 18947009
It was my understanding that password policies are only configurable in a domain level GPO in a Windows 2000 AD environment? One of the few reasons for creating different domains in my MCSE stuff was if you had a foreign office and they wanted different password complexity.  It's one of the few things that can't be set at OU level. Maybe this is confusing the security settings when people are trying to change their passwords?
This article on the MS site explains this in point 1 (This must be a group policy object linked to the entire domain)     http://support.microsoft.com/kb/225230
Remove any password settings in Group Policy Objects lower down the AD tree.
Hope this helps.
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Problem Description: Actually I found the below issue with some customers after migration from SMS 2003 to SCCM 2007 and epically if they change site code, some clients may appear in the console with old site code, plus old sites still appearing …
This is my 3rd article on SCCM in recent weeks, the 1st (http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/A_4466-A-beginners-guide-to-installing-SCCM2007-on-Windows-2008-R2-Server.html) dealing with installat…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
A company’s greatest vulnerability is their email. CEO fraud, ransomware and spear phishing attacks are the no1 threat to a company’s security. Cybercrime is responsible for the largest loss of money to companies today with losses projected to r…

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now