forced cross domain password change....

P

phatso454

hi all,

we are running 2 Win2003 native mode domains with a 2 way trust. we
have recently forced a number of users to change their password ("User
must change password at next logon").


problems:


1) some users have computers in a different domain than the one they
logon to. when logging in they are prompted to change their password,
but then get "You do not have permission to change your password". i
read that this may be related to the fact the change password command
is actually intiated by the local computer (to the domain controller)
not the actual user credentials. any ideas on how to make this work?


2) we would like to allow remote users to change their password with
the IIS change password function (iisadmpwd). however, this does NOT
work if the parameter "User must change password at next logon" is
invoked. that is a bummer.


i have done some research and Googled around, but haven't found any
documentation that specifically addresses these issues.
any ideas on how i can smooth these issues out? any help would be
greatly appreciated.


best,
putt
 
H

Herb Martin

hi all,

we are running 2 Win2003 native mode domains with a 2 way trust. we
have recently forced a number of users to change their password ("User
must change password at next logon").


problems:


1) some users have computers in a different domain than the one they
logon to. when logging in they are prompted to change their password,
but then get "You do not have permission to change your password". i
read that this may be related to the fact the change password command
is actually intiated by the local computer (to the domain controller)
not the actual user credentials. any ideas on how to make this work?
Click to expand...

Having lived in environments where user accounts were
in one domain and computers in another many times (and
for many years) I have NEVER seen this happen.

My first guess would be your users are NOT actually
authenticated properly (likely due to some DNS problem).

Other than that I would like to see your reference for where
you "read this may be...."

What was the source of that info and what was the full
explanation there?
2) we would like to allow remote users to change their password with
the IIS change password function (iisadmpwd). however, this does NOT
work if the parameter "User must change password at next logon" is
invoked. that is a bummer.
Click to expand...

My comments above were in reference to a user LOGGING
on to a computer (Cntl-Alt-Del) and not to using IIS where
they are merely AUTHENTICATING (not actually logging
onto the computer.)

i have done some research and Googled around, but haven't found any
documentation that specifically addresses these issues.
any ideas on how i can smooth these issues out? any help would be
greatly appreciated.
Click to expand...

My first thoughts would include running DCDiag on every DC,
and NetDiag on affectied clients machines, capturing the output,
and searching for FAIL, WARN, or IGNORE (fix those problems.)
 
C

Cary Shultz

Putt,

I am with Herb on this...it should not matter that the user account objects
are in one Domain and the computer account objects are in another...
 
G

Guest

Have you checked the rights that SELF has to the user objects?

It should have (at least) Read and Change Password.

neil
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Force password on next login causes errors 2
password change prompt 3
Changing password NT Domain 2
set password expiry to a few weeks. 3
Security Settings for Password Policy and User properties 6
Windows 98 clients failing to logon to Windows 2000 domain 3
Sync Local Cached Domain Password with new Domain Password 0
Vista machine cannot change domain password 1

Top