"You do not have permission to change your password" only when expired

  • Thread starter Thread starter 22of3
  • Start date Start date
2

22of3

Hi,

Users in our Windows 2003 AD domain (upgraded from NT4) that wait until
their password has expired before changing it receive the error "You do
not have permission to change your password" when they are forced to
change it. Users can change their password fine any day up until it has
actually expired.

We have restrictanonymous and restrictanonymoussam both set to 1 on the
domain controllers.

Any help would be appreciated. (Most posts I have read detail the
opposite of the above problem e.g. can not change password until it has
expired.)
 
22of3 said:
Hi,

Users in our Windows 2003 AD domain (upgraded from NT4) that wait until
their password has expired before changing it receive the error "You do
not have permission to change your password" when they are forced to
change it. Users can change their password fine any day up until it has
actually expired.

We have restrictanonymous and restrictanonymoussam both set to 1 on the
domain controllers.

Any help would be appreciated. (Most posts I have read detail the
opposite of the above problem e.g. can not change password until it has
expired.)
Click to expand...

What is EveryoneIncludesAnonymous on the DCs? What OS are the clients
runnng?
 
The information below says it is for Windows 2000 domain but you may also
want to check it out for your domain in that "everyone" needs change
password permission for user accounts.

http://support.microsoft.com/?id=242795

The Everyone group has Change Password permissions on all computer and user
objects so that unauthenticated or "anonymous" users or computers are able
to change their passwords when they expire without having to be
authenticated first. If the anonymous user is denied the ability to change
passwords, the user would be unable to change the password without logging
on. The Access Control List (ACL) editor can be used to revoke this
permission, but use this editor with caution.

For additional information, click the article number below to view the
article in the Microsoft Knowledge Base:
258788 (http://support.microsoft.com/kb/258788/EN-US/) Cannot Change
Password in Windows Without Logging on to Domain
 
Hi,

I checked and the Everyone group already has the access as detailed in
those two MS articles. (Ability to change password on all user and
computer objects). So no luck there.

Since EveryoneIncludesAnonymous is set to 0 (on the domain controllers)
could that be what the problem is? Would I need to give "Anonymous
Logon" the rights to change password to get around the need for setting
EveryoneIncludesAnonymous to 1?

thanks again
 
22of3 said:
Hi,

I checked and the Everyone group already has the access as detailed in
those two MS articles. (Ability to change password on all user and
computer objects). So no luck there.

Since EveryoneIncludesAnonymous is set to 0 (on the domain controllers)
could that be what the problem is? Would I need to give "Anonymous
Logon" the rights to change password to get around the need for setting
EveryoneIncludesAnonymous to 1?
Click to expand...

That should not be needed with client machines at XP
 
I would not think so for XP SP2 but you certaily can try it. I suggest that
you also post in the Active_directory newsgroup to see if anyone there can
help. The other thing you might try is to enable auditing of directory
access for failure only [even if just temporarily] in Domain Controller
Security Policy and then audit the root domain container and the container
that contains the users for full control [if it does not inherit auditing
from the domain container] for user objects only for everyone, anonymous,
and self to see if anything is then found in the security logs of the domain
controllers next time it happens.

Steve
 
Out of curiosity, what is the pwdProperties attribute setting on your
domain head NC?

You can get that with

adfind -default -s base pwdProperties



--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
pwdProperties: 0

I will trawl the event logs on the DC's to see if I can get some more
info on the error and test auditing the events that you have suggested.

cheers
 
Well that kills my thought.

I would say you will probably end up breaking down to network traces and
trying to work out exactly what is happening or possibly calling MSFT
and opening a ticket.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
Thanks for the help. I will continue looking into the problem and will
get MS involved if required. If anything comes up, I will post back.

cheers
 
Back
Top