User cannot change password

We have an issue where in AD the "user cannot change password" tick box is not staying ticked.

Any ideas?
LVL 1
Alex-KayAsked:
Who is Participating?
 
jnicponConnect With a Mentor Commented:
Looked at your attachments. I would venture to say you're not going to find many clues in the policy test results. You'll need to examine the details of each policy that contains security elements, as well as examining security that is set on parent OU of the accounts, as well as on the individual user objects. This can be done via the User & Computers AD console by enabling advanced view. Right-click properties/Security Tab may shed some light on this.
0
 
jnicponCommented:
Check the GPOs that are affecting the parent container of the user object. Ensure that there is no policy directly affecting the object.
0
 
Alex-KayAuthor Commented:
Can you be more specific about what to look for?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
Stacy SpearPresident/Principal ConsultantCommented:
gpresult /USER domain\user /Z
0
 
Stacy SpearPresident/Principal ConsultantCommented:
Oops, it will show what policies are set for the user. Nice thing about the Z switch is that it will show if the same parameter is set in multiple places.
0
 
Alex-KayAuthor Commented:
Any idea what we would need to look for in the output of that, that would affect the "user cannot change password" policy.

Thanks
0
 
Stacy SpearPresident/Principal ConsultantCommented:
0
 
Alex-KayAuthor Commented:
Please see attached two results from two users the 1st is being affected the 2nd is not, I have highlighted the only differences that I can see.

Would these affect?
userresults1.docx
useresults2.docx
0
 
Stacy SpearConnect With a Mentor President/Principal ConsultantCommented:
Agreed. You will have to go into GPO management and look at each one if there isn't documentation on the GPOs. Limiting who has access to GPOs and even the number of domain admins is always best. GPOs can be so complex, they should, I feel that they must, be documented.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.