pwd change

  • Thread starter Thread starter loo
  • Start date Start date
L

loo

All users on my domain must be authenticated and logged onto their machine
before they can change their pwd. As opposed to - on start entering
pwd..... notice to user telling them that pwd needs to be changed--- select
change pwd..... enter old pwd and new pwd...... it is here that they receive
"do not have permission to change pwd error". Once logged onto machine
though they can change their pwd without error. Has one of my security
settings inadvertently effected this?
thank you very much
 
it is win2000 domain --- and from what i have understood - this feature was
removed from 2000 on......
 
loo said:
All users on my domain must be authenticated and logged onto their machine
before they can change their pwd. As opposed to - on start entering
pwd..... notice to user telling them that pwd needs to be changed--- select
change pwd..... enter old pwd and new pwd...... it is here that they receive
"do not have permission to change pwd error". Once logged onto machine
though they can change their pwd without error. Has one of my security
settings inadvertently effected this?
thank you very much
Click to expand...

Make sure that the computer account (the computer the user is logging on to)
has enough rights in Active directory to find the user. This means that the
comptuer account (or Domain COmputers, or Authenticated Users) must have
list object access on the OU the user resides in, and probably also need
read on the user object. And ofcoure, Everyone needs Change Password rights
on the User object.

Also make sure authenticated users has Read access on the domain object in
active directory.


Arild
 
Thank you for your response. I am sorry if this seems like a newbie
question, but where would i specify this type of access by the computer. I
have scowered active directory and have come up short. (also local and
domain security policies). I appreciate your help
 
Use the Security tab on the properties dialog for the containers and OUs in
active directory. Make sure domain computers has enough rights to locate the
users.

Arild
 
Back
Top