Unable to change passwords - Windows 2003 Domain

[Jay]

For some reasons, we are running into issues changing passwords in our
domain. Regular users are able to with no issues however only users in
the IT department are unable. We are in a seperate OU but moving me
out of the OU to the regular users OU does nothing.

I did a gpresult and it does show me processing the domain local
policy. I also am unable to change it while logging in or logged in
using the CTRL ALT DEL. It comes back with access is denied. This
happens on both 2000 and XP workstations. I do not see any DENY
permissions set for our group and I am a enterprise admin so I have
rights to all.

Does anyone have any ideas on this? I'm kind of at a loss.

Thanks.

 

[Jay]

I copied my user account with all permissions and this user has no
issues in the same OU as well. I'm kind of at a loss why everyone is
unable to except new accounts. We only do group based permission so I
know it can't be every person set.

 

[Steven L Umbach]

It sounds like you can not change your password on a domain computer that
another domain user can change their password?? The first thing I would
check is that your user accounts in Active Directory in properties do not
have "can not change password" selected. If that does not help make sure
auditing of account management is enabled in Domain Controller Security
Policy and then check for account management events for your account name
when the problem occurs to see if there is any explanation of why the
failure occurred. You might also try creating a test user that is just a
normal domain user and then verify that he can change his password. Then add
that test user to the same groups as your account is a member of , make
sure you logoff that test user, logon again and now see if that test user
can change his password. On a XP Pro computer you are logged onto run
rsop.msc and check for any Group Policy user configuration settings that may
be causing the problem. Offhand I can't think of one but there may be
something. --- Steve

 

[Jay]

Regular users are able to change their passwords at any time. The
account I duplicated of mine using copy had the exact same groups and
worked. There are no options set to not allow to change passwords
either. I am going to try what you stated as create a user account to
use and see what happens. I'll also enable auditing and see on every
domain controller.

Thanks

 

[Jay]

Found out the issue. apparently for some reason user accounts weren't
inheriting security settings from the OU container. Therefore, the
SELF account was not in the list. What's odd is you would think a
Domain Admin would be allowed but apparently without SELF, you are not.
Once I set the settings to use default and have inherit check, it
began to work.

 

[Steven L Umbach]

Good job tracking that down and thanks for reporting back what you found.
However FYI when users are added to a privileged group such as domain
administrators the inheritance flag is remove from their user account so
that is normal and explained more in the link below. It may not happen right
away but usually within an hour. So it is hard to say exactly what happened
in your case but hopefully it is resolved. As you mention one would think
that since domain admins have change password permission to the user account
that self would not be needed for a user in the domain admins group but
apparently that is not the case. --- Steve

http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/05/29/49659.aspx