Security Event 676, Failure Code 17

P

Paul

We are running Windows 2000 servers and XP on the
desktops. About 1 month ago, we applied a half dozen
security updates. Now, when users get notified that they
need to change their passwords they receive a
message "You do not have permission to change your
password." and and event ID 676 is logged on the PDC with
a failure code of 17. The local domain controller doesn't
seem to see the password change attempt at all.

If the user is being prompted to change their password
because it is getting near expiration, they can cancel
the password change, login with their own password, and
then change it using Ctrl-Alt-Delete... Change Password.

Has anybody seen this? Your help is very much appreciated.

Paul
 
S

Steven L Umbach

Two issues come to mind. The first is make sure that the effective setting
for additional restrictions for anonymous access is not set to "no access
without explicit anonymous permissions" on the domain controllers in
effective settings in Local Security Policy under security options - first
option in the list. If you need to change that setting it is best to do it
in Domain Controller Security Policy. The other issue is that the everyone
group does not have permission to change password on the user object as
described in KB link below. When a user changes their password before
logging on, they connect to the domain controller as "anonymous" but once
they logon they connect as the user. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;258788
 
G

Guest

Thanks for your suggestions, Steve.

It doesn't look like the first scenario applies; the
Local and Domain Controller security policies have
the "Additional restrictions..." set to "Not Defined".

I'm looking into the second one, however. The Everyone
group is not on the security tab for any of these
containers, but that hasn't changed so I don't know why
it broke. Maybe something in one of the security updates
flipped the switch since it started happening right after
applying several updates. In any case, I'm going to try
adding the Everyone group with Change Password
permissions on the User Objects to one container and see
what we get.

Thanks again,
Paul
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Event 676 with unknown user name 3
acct lockouts after changing passwords 1
XP clients can't change password 6
Event ID 676 Logged 1
Restrict Anonymous 2
Security Event 676 - Kerberos Failure Code 6 4
Password Policy 1
AD and Password policy question 12

Top