Please Help

[Ray]

Ok this is killing me, Please help. I am running AD on a
windows 2000 server with service pack 4. If a user at
logon gets the message that their password is about to
expire and the "Password Change Notification" message
appears 10 days. then attempts to change their password
after receiving the "Password Change Notification"
message may receive the following error message: You do
not have permission to change your password.
According to Microsoft Knowledge Base Article - 258788
the behavior occurs if the Everyone group has not been
granted the Change Password right on the user object. I
checked and the everyone group does have permission to
change password. This only occurs on XP workstations and
not on the W2K workstations. I have not been able to
find any other information to help with this issue other
then Q258788.

How do I correct this so users can change their password
at logon?

Thanks

 

[pauly [MSFT]]

Hi Ray,

In addition to the cause you've already looked at, another possible cause
is if the Everyone group or Authenticated Users group does not have the
correct permissions to simply gain access to the domain controllers from
the network.

To see if this might be the cause and possibly resolve this issue:

1. Start the Active Directory Users and Computers tool, right-click the
Domain Controllers container, and then click Properties.

2. Click the Group Policies tab, click the Default Domain Controllers
policy, and then click Edit.

3. Expand the following items in the policy:

Computer Configuration
Windows Settings
Security Settings
Local Policies
User Rights Assignment

4. Double-click "Access this computer from the network", click Add, click
Browse, and then add Everyone and Authenticated Users.

5. Click OK in each dialog box or window to quit the policy editor. Close
the domain controller properties, and then quit Active Directory Users and
Computers.

6. At a command prompt, type "secedit /refreshpolicy machine_policy
/enforce" (without the quotation marks), and then press ENTER.

=========

This posting is provided "AS IS" with no warranties, and confers no rights.

Windows XP Security Homepage:
http://www.microsoft.com/windowsxp/security/default.asp

Windows 2000 Security Homepage:
http://www.microsoft.com/windows2000/security/default.asp

Top 10 Windows Newsgroups Security Questions:
http://www.microsoft.com/technet/newsgroups/default.asp?url=/technet/newsgro
ups/nodepages/sectop10.asp

=========
Paul Hayes, MCSE
Product Support Services
Microsoft Corporation
(e-mail address removed)

--------------------
| From: "Ray" <[email protected]>
| Subject: Please Help
| Date: Fri, 30 Jan 2004 06:53:14 -0800
|
| Ok this is killing me, Please help. I am running AD on a
| windows 2000 server with service pack 4. If a user at
| logon gets the message that their password is about to
| expire and the "Password Change Notification" message
| appears 10 days. then attempts to change their password
| after receiving the "Password Change Notification"
| message may receive the following error message: You do
| not have permission to change your password.
| According to Microsoft Knowledge Base Article - 258788
| the behavior occurs if the Everyone group has not been
| granted the Change Password right on the user object. I
| checked and the everyone group does have permission to
| change password. This only occurs on XP workstations and
| not on the W2K workstations. I have not been able to
| find any other information to help with this issue other
| then Q258788.
|
| How do I correct this so users can change their password
| at logon?
|
| Thanks
|
|

 

[ckockx]

Ray,

Did you ever figure this one out. I'm having the EXACT same problem.
It's killing me!

Curt

*Hi Ray,

In addition to the cause you've already looked at, another possibl
cause
is if the Everyone group or Authenticated Users group does not hav
the
correct permissions to simply gain access to the domain controller
from
the network.

To see if this might be the cause and possibly resolve this issue:

1. Start the Active Directory Users and Computers tool, right-clic
the
Domain Controllers container, and then click Properties.

2. Click the Group Policies tab, click the Default Domai
Controllers
policy, and then click Edit.

3. Expand the following items in the policy:

Computer Configuration
Windows Settings
Security Settings
Local Policies
User Rights Assignment

4. Double-click "Access this computer from the network", click Add
click
Browse, and then add Everyone and Authenticated Users.

5. Click OK in each dialog box or window to quit the policy editor
Close
the domain controller properties, and then quit Active Director
Users and
Computers.

6. At a command prompt, type "secedit /refreshpolicy machine_policy
/enforce" (without the quotation marks), and then press ENTER.

=========

This posting is provided "AS IS" with no warranties, and confers n
rights.

Windows XP Security Homepage:
http://www.microsoft.com/windowsxp/security/default.asp

Windows 2000 Security Homepage:
http://www.microsoft.com/windows2000/security/default.asp

Top 10 Windows Newsgroups Security Questions:
http://tinyurl.com/2njc6
ups/nodepages/sectop10.asp

=========
Paul Hayes, MCSE
Product Support Services
Microsoft Corporation
(e-mail address removed)

--------------------
| From: "Ray" <[email protected]>
| Subject: Please Help
| Date: Fri, 30 Jan 2004 06:53:14 -0800
|
| Ok this is killing me, Please help. I am running AD on a
| windows 2000 server with service pack 4. If a user at
| logon gets the message that their password is about to
| expire and the "Password Change Notification" message
| appears 10 days. then attempts to change their password
| after receiving the "Password Change Notification"
| message may receive the following error message: You do
| not have permission to change your password.
| According to Microsoft Knowledge Base Article - 258788
| the behavior occurs if the Everyone group has not been
| granted the Change Password right on the user object. I
| checked and the everyone group does have permission to
| change password. This only occurs on XP workstations and
| not on the W2K workstations. I have not been able to
| find any other information to help with this issue other
| then Q258788.
|
| How do I correct this so users can change their password
| at logon?
|
| Thanks
|
|

-
ckock