Change NT 4 Password on 2000 Domain

[william r. riley]

We are needing to add an NT 4 workstation to our domain, which has been
converted to a native-mode domain. We currently only have 2000 and XP Pro
systems on the domain so we have not run into this problem before.

We are able to create the computer account and have it join the domain, but
if we try to have a user chage their password on that system it comes up
with the error, "The password on this account cannot be changed at this
time." We tried to install Active Directory Clien Extensions and adding a
registry hack for NTLMv2 in HKLM\System\CurrentControlSet\Control\LSA, both
of whcih have done nothing for this problem.

Is there a possible solution for this problem? Are a solution that would
allow for a Windows 95 system to change passwords?

Thank you.

 

[Marina Roos]

You'll need to add WINS to your server. Also, add options 044 and 046 (0x8)
to DHCP-server, Scope options.
Make sure that the ipconfig/all from all clients is pointing to your
server-IP.

Marina

 

[william r. riley]

We have a WINS server with options 044 and 046 set correctly and have
verified it on the client systems.
IS there another suggestion or an elaboration to the first that I am
missing?

Bill

 

[Marina Roos]

Hi Bill,

Do you possible have the RestrictAnonymous setting set to 2 on the server?
Put it back to 0 or 1.

Marina

 

[william r. riley]

Afternoon Marina,

Where would I find this value in the registry and what does this setting do?

Bill

 

[Marina Roos]

Hi Bill,

Article 246261 describes this.
You can find the key under
HKEY_Local_Machine/System/Currentcontrolset/Control/LSA

Marina

 

[william r. riley]

Marina,

We have looked up information on this and are not sure how this can help.
Sorry to sound so ignorant, but it doesn't really seem to be the issue. If
we have installed the dsclient.exe on the nt 4 wks in th manner described by
MS, then why isn't it allowing us to change the password? It states in
article
http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/adextension.asp
that this should be a feature that works.

Is it that we are logging on to a 2000 domain in native mode? If so, are
there any know work arounds?

Bill

 

[Marina Roos]

Hi Bill,

Can you tell me how it is set in the registry? Have you read the article?
When it is set to 2 downlevel workstations or servers are not able to set up
a netlogon secure channel, nt-users are not able to change passwords after
they expire. Macintosh users are not able to change passwords at all.
Browser service is not able to retrieve domain lists or server lists from
backup browsers, masterbrowsers or domain manster browsers.

Marina

 

[william r. riley]

Good afternoon Marina,

Yes we read the article(s) and have it set at the default values of
restrictanonymous 0 and restrictanonymoussam 1. Does this help?

Bill

 

[Marina Roos]

Hi Bill,

Well, have you rebooted the server and tried?

Marina

 

[william r. riley]

Marina,

We've tried that and had no success. Unless there is a miracle out there
that we are unaware of, we are probably going to have to scrap this and not
let the end user have the ability to change their password without IS
intervention. I have heard of this working, NT 4 on a 2000 domain, but am
starting think that it is all an urban legend and more $$$ for Mother
Microsoft.

Bill

 

[Marina Roos]

Hi Bill,

Can you post the ipconfig/all please?

Marina

 

[william r. riley]

Hope this helps.?

Windows NT IP Configuration
Host Name . . . . . . . . . : 6041dv98a103jl9.mcimg.net
DNS Servers . . . . . . . . : 172.16.1.6
Node Type . . . . . . . . . : Hybrid

NetBIOS Scope ID. . . . . . :
IP Routing Enabled. . . . . : No
WINS Proxy Enabled. . . . . : No
NetBIOS Resolution Uses DNS : No

Ethernet adapter El90x1:
Description . . . . . . . . : 3Com EtherLink PCI
Physical Address. . . . . . : 00-50-DA-80-29-B0
DHCP Enabled. . . . . . . . : Yes
IP Address. . . . . . . . . : 172.16.1.80
Subnet Mask . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . : 172.16.1.21
DHCP Server . . . . . . . . : 172.16.1.6
Primary WINS Server . . . . : 172.16.1.6
Lease Obtained. . . . . . . : Tuesday, November 18, 2003 3:59:18 PM
Lease Expires . . . . . . . : Wednesday, November 26, 2003 3:59:18 PM

 

[Marina Roos]

Hi Bill,

The Gateway should point to your server-IP too.

Marina

Hope this helps.?

Windows NT IP Configuration
Host Name . . . . . . . . . : 6041dv98a103jl9.mcimg.net
DNS Servers . . . . . . . . : 172.16.1.6
Node Type . . . . . . . . . : Hybrid

NetBIOS Scope ID. . . . . . :
IP Routing Enabled. . . . . : No
WINS Proxy Enabled. . . . . : No
NetBIOS Resolution Uses DNS : No

Ethernet adapter El90x1:
Description . . . . . . . . : 3Com EtherLink PCI
Physical Address. . . . . . : 00-50-DA-80-29-B0
DHCP Enabled. . . . . . . . : Yes
IP Address. . . . . . . . . : 172.16.1.80
Subnet Mask . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . : 172.16.1.21
DHCP Server . . . . . . . . : 172.16.1.6
Primary WINS Server . . . . : 172.16.1.6
Lease Obtained. . . . . . . : Tuesday, November 18, 2003 3:59:18 PM
Lease Expires . . . . . . . : Wednesday, November 26, 2003 3:59:18 PM

Hi Bill,

Can you post the ipconfig/all please?

Marina

and
not

but

am able
to this
can

http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/adexte

does
this

to

2

 

[william r. riley]

Marina:

We tried setting the IP manually, for test purposes, and set the GW to
point to the same address, but still are unable to change the password. We
still receive the same message of teh password cannot be changed at this
time, but can go to a 2000/XP station and change it.

Bill

Hi Bill,

The Gateway should point to your server-IP too.

Marina

Hope this helps.?

Windows NT IP Configuration
Host Name . . . . . . . . . : 6041dv98a103jl9.mcimg.net
DNS Servers . . . . . . . . : 172.16.1.6
Node Type . . . . . . . . . : Hybrid

NetBIOS Scope ID. . . . . . :
IP Routing Enabled. . . . . : No
WINS Proxy Enabled. . . . . : No
NetBIOS Resolution Uses DNS : No

Ethernet adapter El90x1:
Description . . . . . . . . : 3Com EtherLink PCI
Physical Address. . . . . . : 00-50-DA-80-29-B0
DHCP Enabled. . . . . . . . : Yes
IP Address. . . . . . . . . : 172.16.1.80
Subnet Mask . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . : 172.16.1.21
DHCP Server . . . . . . . . : 172.16.1.6
Primary WINS Server . . . . : 172.16.1.6
Lease Obtained. . . . . . . : Tuesday, November 18, 2003 3:59:18 PM
Lease Expires . . . . . . . : Wednesday, November 26, 2003 3:59:18 PM


but

http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/adexte

 

[Marina Roos]

Does the server have options 044 and 046 (0x8) in DHCP-server, Scope
options?
Can you give the ipconfig/all from your server please?

Marina

Marina:

We tried setting the IP manually, for test purposes, and set the GW to
point to the same address, but still are unable to change the password. We
still receive the same message of teh password cannot be changed at this
time, but can go to a 2000/XP station and change it.

Bill

Hi Bill,

The Gateway should point to your server-IP too.

Marina

this
and domain,
but values
of not
able

passwords

at be
the

http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/adexte

 

[william r. riley]

Yes those options are set in the DHCP scope the node type is hybrid (0x8)
and the WINS is set to 172.16.1.6. Here is the ipconfig:

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : dc1
Primary DNS Suffix . . . . . . . : mcimg.net
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : mcimg.net

Ethernet adapter TeamNic:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TeamNic
Physical Address. . . . . . . . . : 00-0B-CD-1A-AA-F7
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.16.1.6
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.1.21
DNS Servers . . . . . . . . . . . : 172.16.1.6
Primary WINS Server . . . . . . . : 172.16.1.6

Does the server have options 044 and 046 (0x8) in DHCP-server, Scope
options?
Can you give the ipconfig/all from your server please?

Marina

Marina:

We tried setting the IP manually, for test purposes, and set the GW to
point to the same address, but still are unable to change the password. We
still receive the same message of teh password cannot be changed at this
time, but can go to a 2000/XP station and change it.

Bill


without
IS read
the passwords

to

be password?
It

http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/adexte

 

[Marina Roos]

Hi Bill,

On the NT4, can you change the password if logged in as another user or the
administrator?
Anything in the eventlogs of the NT4 and the server?

Marina

Yes those options are set in the DHCP scope the node type is hybrid (0x8)
and the WINS is set to 172.16.1.6. Here is the ipconfig:

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : dc1
Primary DNS Suffix . . . . . . . : mcimg.net
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : mcimg.net

Ethernet adapter TeamNic:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TeamNic
Physical Address. . . . . . . . . : 00-0B-CD-1A-AA-F7
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.16.1.6
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.1.21
DNS Servers . . . . . . . . . . . : 172.16.1.6
Primary WINS Server . . . . . . . : 172.16.1.6

Does the server have options 044 and 046 (0x8) in DHCP-server, Scope
options?
Can you give the ipconfig/all from your server please?

Marina

password.
We

3:59:18

PM miracle
out are
not to

http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/adexte

 

[william r. riley]

Marina:

On the workstation you can change the password if you are a logged on as
administrator, it does not show anything in the workstation event logs for
failures. On the server it shows that there was an audit failure, category:
account management, event id: 627.

Bill

Hi Bill,

On the NT4, can you change the password if logged in as another user or the
administrator?
Anything in the eventlogs of the NT4 and the server?

Marina

Yes those options are set in the DHCP scope the node type is hybrid (0x8)
and the WINS is set to 172.16.1.6. Here is the ipconfig:

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : dc1
Primary DNS Suffix . . . . . . . : mcimg.net
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : mcimg.net

Ethernet adapter TeamNic:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TeamNic
Physical Address. . . . . . . . . : 00-0B-CD-1A-AA-F7
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.16.1.6
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.1.21
DNS Servers . . . . . . . . . . . : 172.16.1.6
Primary WINS Server . . . . . . . : 172.16.1.6

3:59:18

PM 3:59:18 you
read sure
how seem
to

in

th

http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/adexte

 

[Marina Roos]

Hi Bill,

This is really weird. Has the user local logon rights?

Marina

Marina:

On the workstation you can change the password if you are a logged on as
administrator, it does not show anything in the workstation event logs for
failures. On the server it shows that there was an audit failure, category:
account management, event id: 627.

Bill

Hi Bill,

On the NT4, can you change the password if logged in as another user or the
administrator?
Anything in the eventlogs of the NT4 and the server?

Marina

Yes those options are set in the DHCP scope the node type is hybrid (0x8)
and the WINS is set to 172.16.1.6. Here is the ipconfig:

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : dc1
Primary DNS Suffix . . . . . . . : mcimg.net
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : mcimg.net

Ethernet adapter TeamNic:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TeamNic
Physical Address. . . . . . . . . : 00-0B-CD-1A-AA-F7
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.16.1.6
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.1.21
DNS Servers . . . . . . . . . . . : 172.16.1.6
Primary WINS Server . . . . . . . : 172.16.1.6


Does the server have options 044 and 046 (0x8) in DHCP-server, Scope
options?
Can you give the ipconfig/all from your server please?

Marina

"william r. riley" <[email protected]> schreef in bericht
Marina:

We tried setting the IP manually, for test purposes, and set the

GW
to

point to the same address, but still are unable to change the password.
We
still receive the same message of teh password cannot be changed

at
this

time, but can go to a 2000/XP station and change it.

Bill


Hi Bill,

The Gateway should point to your server-IP too.

Marina

"william r. riley" <[email protected]> schreef in bericht
Hope this helps.?

Windows NT IP Configuration
Host Name . . . . . . . . . : 6041dv98a103jl9.mcimg.net
DNS Servers . . . . . . . . : 172.16.1.6
Node Type . . . . . . . . . : Hybrid

NetBIOS Scope ID. . . . . . :
IP Routing Enabled. . . . . : No
WINS Proxy Enabled. . . . . : No
NetBIOS Resolution Uses DNS : No

Ethernet adapter El90x1:
Description . . . . . . . . : 3Com EtherLink PCI
Physical Address. . . . . . : 00-50-DA-80-29-B0
DHCP Enabled. . . . . . . . : Yes
IP Address. . . . . . . . . : 172.16.1.80
Subnet Mask . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . : 172.16.1.21
DHCP Server . . . . . . . . : 172.16.1.6
Primary WINS Server . . . . : 172.16.1.6
Lease Obtained. . . . . . . : Tuesday, November 18, 2003

3:59:18