Password Permission Issue

[Michael]

Hello All,

I've checked the Microsoft KnowledgeBase and looked through the FAQ and
rest of the posts here, but have found only remotely similar problem posts.

We have a small network (15 PCs) of Win2K Pro systems running in Workgroup
mode. Some are running SP 3 and others SP 4. I stopped loading SP 4 after
I noticed this problem, though it is happening even to the systems with SP
3.

When a user is required to change their password at the next logon, they
can't do it. The system tells them "You do not have permission to change
your password." The password attempts definitely meet the complexity
requirements in our system security policy.

The only similar problem(s) I could find in the KB inolved domain
configurations. Also, one suggestion which I felt it could not hurt to try
that was posted was concerning the registry value of
RestrictAnonymousAccess. I ensured this was set to 0.

In terms of a little background, I implemented a number of recommended
security configuration recommendations. One of them happened to be removing
Everyone from the DACLs. Could this be part of the problem?

Any help is greatly appreciated.


Michael

 

[Steven L Umbach]

The "restrict anonymous" setting would not apply since you are not in a domain
and these are only local machine accounts. Check the user accounts to make sure that
"user can not change password" is not selected. Removing the everyone group from the
drive root folder is generally a good idea, however you should not change any ntfs
permissions on the systemroot - \winnt folder and subfolders. In general those
folders are already locked down fairly well. If you removed everyone permissions from
those folders, that could very well be causing your problem. There are ways to
restore those permissions. See the following link. It would be worth trying it on at
least one of your computers. --- Steve

http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q266118&