Password policy

  • Thread starter Thread starter Tom
  • Start date Start date
T

Tom

I have this strange issue at one of my site. I have a
single domain controller with password policy set from
Domain security policy. It is set to expire password in
120 days (Maximum password age is set to 120 days). The
moment I apply this policy, all users on the wire except
admins are prompted to changed the password immediately.
If they try to do so they get this eror you don't have
sufficient rights to do so.

I assume some of you hyave faced this issue. I will
appreciate your solutios to this.

Tom
 
Tom,

Whenever you set a maximum password age policy, it will force all users to
change their password immediately so it can begin tracking the next 120 day
cycle as soon as they change their current password. The behavior ithat you
are seeing is expected.

However, this should not be causing your users and problems when they
attempt to change their passwords. This may be caused by your users not
having everyone "change password" permission in AD.

To see if this is the case, open ad users and computers, go into the
properties of one of your problem users, then go to the security tab into
advanced settings. See what is or is not allowed for the change password
permission. By default, everyone has the "change password" permission on
"this object only". If your user is not configured this way, please change
it accordingly and see if that fixes your problem.

I am not sure how this would have been changed universally unless you
applied some kind of security template. However, you can with change each
one manually, or if you have a great many users, you can try to change them
using the dsacls utility. This utility is part of the Windows 2000 support
tools that comes on the install CD.

I hope this helps.

Ray Lava
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights
 
Whenever you set a maximum password age policy, it will force all users to
change their password immediately so it can begin tracking the next 120 day
cycle as soon as they change their current password. The behavior ithat you
are seeing is expected.
Click to expand...

Is this IMMEDIATE or just next logon? (Just curious to know the precise
answer.)
 
Back
Top