forced cross domain password change....

  • Thread starter Thread starter phatso454
  • Start date Start date
P

phatso454

hi all,

we are running 2 Win2003 native mode domains with a 2 way trust. we
have recently forced a number of users to change their password ("User
must change password at next logon").


problems:


1) some users have computers in a different domain than the one they
logon to. when logging in they are prompted to change their password,
but then get "You do not have permission to change your password". i
read that this may be related to the fact the change password command
is actually intiated by the local computer (to the domain controller)
not the actual user credentials. any ideas on how to make this work?


2) we would like to allow remote users to change their password with
the IIS change password function (iisadmpwd). however, this does NOT
work if the parameter "User must change password at next logon" is
invoked. that is a bummer.


i have done some research and Googled around, but haven't found any
documentation that specifically addresses these issues.
any ideas on how i can smooth these issues out? any help would be
greatly appreciated.


best,
putt
 
hi all,

we are running 2 Win2003 native mode domains with a 2 way trust. we
have recently forced a number of users to change their password ("User
must change password at next logon").


problems:


1) some users have computers in a different domain than the one they
logon to. when logging in they are prompted to change their password,
but then get "You do not have permission to change your password". i
read that this may be related to the fact the change password command
is actually intiated by the local computer (to the domain controller)
not the actual user credentials. any ideas on how to make this work?
Click to expand...

Having lived in environments where user accounts were
in one domain and computers in another many times (and
for many years) I have NEVER seen this happen.

My first guess would be your users are NOT actually
authenticated properly (likely due to some DNS problem).

Other than that I would like to see your reference for where
you "read this may be...."

What was the source of that info and what was the full
explanation there?
2) we would like to allow remote users to change their password with
the IIS change password function (iisadmpwd). however, this does NOT
work if the parameter "User must change password at next logon" is
invoked. that is a bummer.
Click to expand...

My comments above were in reference to a user LOGGING
on to a computer (Cntl-Alt-Del) and not to using IIS where
they are merely AUTHENTICATING (not actually logging
onto the computer.)

i have done some research and Googled around, but haven't found any
documentation that specifically addresses these issues.
any ideas on how i can smooth these issues out? any help would be
greatly appreciated.
Click to expand...

My first thoughts would include running DCDiag on every DC,
and NetDiag on affectied clients machines, capturing the output,
and searching for FAIL, WARN, or IGNORE (fix those problems.)
 
Putt,

I am with Herb on this...it should not matter that the user account objects
are in one Domain and the computer account objects are in another...
 
Have you checked the rights that SELF has to the user objects?

It should have (at least) Read and Change Password.

neil
 
Back
Top