You do not have permission to change your password

[Mike]

I am running Windows 2000 SBS and I want to use this
option:

User must change password at next login.

This works perfectly on all the Windows 2000 Machines but
not on Windows XP Machines.

On Windows XP Machine I get:

You do not have permission to change your password.

I did everything that Microsoft wanted me to do on
Article 258788:

http://support.microsoft.com/default.aspx?scid=kb;en-
us;258788&Product=win2000

Still Windows XP Machines can not make these change prior
to log-in to the Domain.

Some notes about my environment:

Server:
SBS 2000 + SP 4 + all Microsoft Updates.
Exchange 2000 + SP 3

Stations:
Windows 2000 + SP 4 + all Microsoft Updates
Windows XP + SP 1a + all Microsoft Updates

Thanks,

Mike

 

[Steven Umbach]

Check your domain controller security policy for the security option "additional
restrictions for anonymous connections" to make sure it is not set to no access
without explicit anonymous permissions which has been know to cause this problem
with XP clients. Reboot the domain controller if changing that setting. ---
Steve

 

[Mike R]

This option is not defined.

-----Original Message-----
Check your domain controller security policy for the security option "additional
restrictions for anonymous connections" to make sure it is not set to no access
without explicit anonymous permissions which has been know to cause this problem
with XP clients. Reboot the domain controller if changing that setting. ---
Steve




.

 

[Bobby McMillan [MSFT]]

Mike,

What is the setting in
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous
? This is the same setting that Steve was talking about but may have not
been set via policy....


This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| Content-Class: urn:content-classes:message
| From: "Mike R" <[email protected]>
| Sender: "Mike R" <[email protected]>
| Subject: Re: You do not have permission to change your password
|s option is not defined.
|
|
| >-----Original Message-----
| >Check your domain controller security policy for the
| security option "additional
| >restrictions for anonymous connections" to make sure it
| is not set to no access
| >without explicit anonymous permissions which has been
| know to cause this problem
| >with XP clients. Reboot the domain controller if
| changing that setting. ---
| >Steve
| >
| >| >> I am running Windows 2000 SBS and I want to use this
| >> option:
| >>
| >> User must change password at next login.
| >>
| >> This works perfectly on all the Windows 2000 Machines
| but
| >> not on Windows XP Machines.
| >>
| >> On Windows XP Machine I get:
| >>
| >> You do not have permission to change your password.
| >>
| >> I did everything that Microsoft wanted me to do on
| >> Article 258788:
| >>
| >> http://support.microsoft.com/default.aspx?scid=kb;en-
| >> us;258788&Product=win2000
| >>
| >> Still Windows XP Machines can not make these change
| prior
| >> to log-in to the Domain.
| >>
| >> Some notes about my environment:
| >>
| >> Server:
| >> SBS 2000 + SP 4 + all Microsoft Updates.
| >> Exchange 2000 + SP 3
| >>
| >> Stations:
| >> Windows 2000 + SP 4 + all Microsoft Updates
| >> Windows XP + SP 1a + all Microsoft Updates
| >>
| >> Thanks,
| >>
| >> Mike
| >>
| >>
| >>
| >
| >
| >.
| >
|

 

[Mike R]

It is set to 2.

Is that the currect value?

Thanks.

 

[Steven L Umbach]

No 2 is the most restrictive setting, you would want to set it to 1. Sorry,
I should have been more specific in my original post. Try checking the Local
Security Policy for that setting - additional restrictions for anonymous
connections which is where it probably is defined and back it of to the 1
setting which would be do not allow enumeratiom of sam accounts and shares
and then use secedit /refreshpolicy machine_policy /enforce or better yet
reboot if it will not cause too much a disruption. --- Steve

 

[Guest]

Perfect Steve. Worked.
thanks so much for your time.

mike

-----Original Message-----
No 2 is the most restrictive setting, you would want to set it to 1. Sorry,
I should have been more specific in my original post. Try checking the Local
Security Policy for that setting - additional restrictions for anonymous
connections which is where it probably is defined and back it of to the 1
setting which would be do not allow enumeratiom of sam accounts and shares
and then use secedit /refreshpolicy

machine_policy /enforce or better yet