You do not have permission to change password

  • Thread starter Thread starter Tony Moo
  • Start date Start date
T

Tony Moo

Hi all,
I have a Windows 2000 Server based setup here with WinXP and Win2000 Pro
clients. Service pack for Windows 2000 is SP4 and SP1 for XP.

Now, the problem is, I have applied a group policy to an Organizationional
Unit I created for users that requires them to change their passwords at
first logon. When I tested this setup, the "Password has expired. user must
change password to logon" message came alright, but I was unable to change
the password. The message that came up therafter was "You do not have
permission to change the password" or something similar. By the way, I even
added the account in question to the administrators group but it still
failed to resolve the issue.

How do I resolve this? Appreciate all help and thanks in advance.

Regards,
Tony G.
 
Hello Tony.

These password policy settings only apply to the domain policy (by default
it is the Default Domain Policy). Configuring a password policy for an OU
only affects the users that are present on the local workstations (local
accounts).

Please take a look at the following articles, as they apply to your
scenario.

269236 Changes Are Not Applied When You Change the Password Policy
http://support.microsoft.com/?id=269236

273004 "The Password Cannot Be Changed at This Time" Error Message When You
Try
http://support.microsoft.com/?id=273004

258788 Cannot Change Password in Windows Without Logging on to Domain
http://support.microsoft.com/?id=258788

If the above articles do not assist you and the users are domain user
accounts, move them into another OU or container and attempt to change their
password.

David Fisher
Enterprise Platform Support
 
Thanks David.

I'll look at the articles, particularly the first one which I think is
affecting our setup.

Tony G.
 
Hi David,

I just finished checking the settings in the GPO I defined for the OU in
question and realised that I did not in fact set password policies there.
All that I did was to implemement Folder Redirection and Roaming Profiles
using that GPO.

The password settings were set in the Default Domain Policy and the Default
Domain Controllers Policy objects. "Block Policy inheritance" on the GPOs
are unchecked. "User cannot change password" and "Password never expires"
are both unchecked on all domain accounts. In addition, the Everyone group
has Change Password right on the said GPO. By the way, do I have to grant
the SELF object Change Password rights as well?

An interesting fact is a warning in the Application log; anytime I execute
the "secedit /refreshpolicy machine_policy /enforce" command, I get the
message:

Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Date: 11/11/2003
Time: 10:59:25 AM
User: N/A
Computer: ADIKANFO
Description:
Security policies are propagated with warning. 0xd : The data is invalid.

For best results in resolving this event, log on with a non-administrative
account and search http://support.microsoft.com for "Troubleshooting Event
1202s".

Checking from microsoft's website leads me to links similar to what you
forwarded me and these are unable to help me. Lastly, adding the user
account to another OU and trying the password change brings the same message
"You do not have permission to change your password".

I am simply stumped and any further help would be gladly appreciated.

Tony G.
 
Back
Top