cant change password on windows 2000 domain

S

Shane

I have a problem that I am having difficulty getting solved. Some of
my users passwords are coming to their experation date. When they try
to change it they get an error:

"The password on this accout can not be changed at this time"

I have checked in active directory that the selection "user cannot
change password" was unchecked. I Have not seen any setting in the
group policy. Also, I have checked on the "Additional restrictions
for anonymous connections" was disabled in the Domain Security Policy.
Any ideas?
 
S

Steven L Umbach

If you are having a problem with XP machines, then the additional restrictions for
anonymous connections should not be set to no access without explicit anonymous
permissions in the "Domain Controller" Security policy. --- Steve
 
S

Shane

The Additional restrictions for anonymous connections is set to: Not
defined.
I am having trouble with Windows 2000- SP4 and XP- SP1 machines. Both
types host will have the same error message:
"The password on this accout can not be changed at this
time"
I have to go into Active Dir and change each users password for them.
Not very Convenient.
-Shane
 
S

Steven L Umbach

I would run the Security Configuration and Analysis tool on one of the domain
controllers against the setup security.inf template to verify that. Sometimes things
are not what they seem in security policy. Is the problem with all W2K SP4 machines?
Are there any W2K machines not having this problem? If so I would make sure that the
effective security options are identical on the SP4 machines with the non problem W2K
machines. If there are machines that function fine can a user who can not change
their password on one of the problem machines change their password on a machine not
having problems? See link below about an issue with SP4 that may be of interest. ---
Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;827664
http://support.microsoft.com/default.aspx?kbid=318711
 
S

Shane

Steve,
Thank you very much for you help. I ran the Security Configuration and
Analysis tool and only found three errors. They each had nothing to do
with passwords. One was about the paging file. I read over some of
your links. I may have miss something. Which is definitely true or I
would not have this problem, but I did not read any thing in those
reports that was a solution so far.

I am not aware of any computers in my network that are able to change
their password word when propted to if they are told it will expire or
if they try by using Ctrl+Alt+Del. If I have their account set to
"User must change password at next logon" it works just fine.

I have two OUs one is Users and one is Admin under my domain in active
directory. For the Admin I have it set to not inherit domain policy.
Users from both OUs cannot change password on their own.

Please let me know if there are any other ideas!!

-Shane
 
S

Steven Umbach

Hi Shane.
See the KB link about the everyone group needing the change password permission
in Active Directory. Also if you have changed any permissions on your Active
Directory objects, that could be causing the problem. For instance I believe
that the authenticated users group needs read permissions on the domain
container and domain controller container in order to change passwords. The
authenticated users group has those permissions by default. Also keep in mind
that for domain accounts, password/account policy can only be configured at the
domain level and block inheritance will block those settings. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;258788
http://support.microsoft.com/default.aspx?scid=kb;EN-US;258788
 
S

Steven L Umbach

Oops, coorection. block inheritance will NOT block those settings for domain
password policy. --- Steve
 
S

Shane

Steve,
Thanks, I have tried resetting the permissions but to no avail. I
reset the notification time to 1 day instead of 14. If a users
password totaly expires it will allow them to change it.

I am running out of time to keep troubleshooting this situation. I am
planning to move to 2003 server soon and will reset up active dir
then. I was not the one to set up our current server and have found
several other problems.
Thank you for you time.
 
I

IBTerry [MSFT]

This sounds like some that you would need to a network trace to see really
what is causing the problem. Get a trace before/during the "The password
on this accout can not be changed at this time" error.

You could also enable netlogon logging, but I bet the request is not making
it to the DC.
109626 Enabling Debug Logging for the Net Logon Service
http://support.microsoft.com/?id=109626

Do you only have one DC?

IBTerry [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Password problem . 1
Password Problem 1
Password Problem 2
How do I change password policy for my domain (have tryed everything) 3
Domain Password Policy 3
Cant disable password complexity 3
Password policy 5
Password Policy 1

Top