XP clients can't change password

[floyd]

When prompted by the Win2k DC to change their domain
password the user recieves the message "You do not have
permission to change your password." That same user can
then go to a Win2k Workstation and successfully change
his password.

THe XP Pro client is using the DC for DNS.
The client security events are "529 Unknown user name or
bad password" followed by " 535 The specified account has
expired."

The DC Security Log shows "676 Authentication Ticket
Request Failed"

I have been searching the Local Security Policy for
differences between XP and Win2k but nothing obvious
stands out.

 

[Steven L Umbach]

Hi Floyd. There are some known issues with W2K and XP. First on your Domain
Controller Security Policy make sure the security option for "additional restrictions
for anonymous connections" is not set to no access without explicit anonymous
permissions. You may also need to disable the four options for digitally sign
client/server communications if that does not help until problem is resolved.
Sometimes there are even problems with kerberos using udp. Try running netdiag on one
of those XP computers. --- Steve

http://support.microsoft.com/default.aspx?scid=KB;en-us;q265706&gssnb=1

 

[Steven L Umbach]

Sorry, wrong KB link relating to kerberos in first reply. --- Steve

http://support.microsoft.com/?kbid=244474

 

[floyd]

Steve,

The restrict anonymous setting did the trick. It's
strange that the MS Baseline security analyser recommends
the most restrictive setting. What am i saying.

Thanks much, man.

-floyd

 

[Steven L Umbach]

Great Floyd. It is a mystery to me that the next generation desktop operating system
would need a "downlevel" security setting. You may also want to check out the
Windows 2000 Security Hardening Guide. It is recent and a free download that lists
specific security setting recommendations based on network configuration and
needs. --- Steve

http://security.ziffdavis.com/article2/0,3973,1043101,00.asp

 

[Juser]

Great Floyd. It is a mystery to me that the next generation desktop operating system
would need a "downlevel" security setting. You may also want to check out the
Windows 2000 Security Hardening Guide. It is recent and a free download that lists
specific security setting recommendations based on network configuration and
needs. --- Steve

<snip>

Scenario: AD domain, Win2003 Server dc, xp client can not change
password due to policy restrictions, even though there are none
defined.

Same box joins AD Domain with Win2000 Server dc, xp client can change
password.

On the 2003 dc, user password is reset and flagged "user must change
password at next logon", then when client logs onto his XP box, he is
prompted to change pw and it is successful, for that time only.
(Even loging in as domain admin on the xp box, can't change own
password while in the 2003 AD domain)

What gives?? Why can't XP clients change their passwords at will in a
2003 active directory domain ?

 

[JustaUser]

<snip>

Scenario: AD domain, Win2003 Server dc, xp client can not change
password due to policy restrictions, even though there are none
defined.

Same box joins AD Domain with Win2000 Server dc, xp client can change
password.

On the 2003 dc, user password is reset and flagged "user must change
password at next logon", then when client logs onto his XP box, he is
prompted to change pw and it is successful, for that time only.
(Even loging in as domain admin on the xp box, can't change own
password while in the 2003 AD domain)

What gives?? Why can't XP clients change their passwords at will in a
2003 active directory domain ?

Never mind, figured it out.