users unable to change password

  • Thread starter Thread starter rwiedower
  • Start date Start date
Applied registry change to both systems and rebooted. Tested client machine.
It didn't work.

One question: what type of key was the "RefusePasswordChange" supposed to
be? Since "DiablePasswordChange" was a DWORD, I set it to be as DWORD as
well. That's what I was supposed to do, correct?

eol,

Reed
 
Dear Reed,

The "RefusePasswordChange" key can be set to 1 on DCs to disable the
machine account's change. The provided steps are aimed to ensure that your
registry entries are configured correctly. The DWORD "DiablePasswordChange"
value needs to be set "0" as well.

After the reboot, please repeat the steps I've provided in initial
response, and then test the situation. For your convenience, I've pasted
them again as below:

a. Start the Active Directory Users and Computers tool, right-click the
Domain Controllers container, and then click Properties.
b. Click the Group Policies tab, click the Default Domain Controllers
policy, and then click Edit.
c. Expand the following items in the policy:

Computer Configuration
Windows Settings
Security Settings
Local Policies
User Rights Assignment

d. Double-click "Access this computer from the network", click Add, click
Browse, and then add Everyone and Authenticated Users.
e. Click OK in each dialog box or window to quit the policy editor. Close
the domain controller properties, and then quit Active Directory Users and
Computers.
f. At a command prompt, type "secedit /refreshpolicy machine_policy
/enforce" (without the quotation marks), and then press ENTER.

Regards,

Seaver
 
Okay, do I need to set the 'RefusePasswordChange" to "1" or "0"? Originally,
you seemed to indicate that I should set it to "0" but this latest e-mail
implies that I should set it to "1". Which is it? Once I have your answer
I'll proceed with the rest of the steps.

end of line,

Reed
 
Dear Reed,

The "RefusePasswordChange" key can be set to 1 on DCs to disable the
machine account's change. I suggest that you set it "0" to disable that
function. Thanks.

- Seaver
 
I followed each of the steps outlined in the earlier post.

1) Made the registry change (although both were already set to "0").

2) Rebooted both DCs.

3) Made the GPO change (although the GPO was already setup to allow the
"everyone" and "authenticated users" groups access).

4) Refreshed the security settings on the workstation.

5) Logged in with an user account whose password is past the expiration
period. It prompted me to change it. I attempted to do so and, once again,
received the "you do not have permission to change your password" error
dialog box.

What can I try next?

end of line,

Reed Wiedower
 
Thanks to some helpful folks at MS, this issue has now been resolved. It
involved a hotfix being applied, but hopefully by the time XP service pack 2
(the hotfix was for the workstations, not the domain controller!) rolls out
it'll be included in it. Thanks again for everyone's help.

end of line,

Reed
 
Back
Top