User get access denied error when prompted to change password adte Reset

[Mike Robertson]

When a User request a password reset the user receives
a "You do not have access to change your password" error.
I've pruned through all my access, security and Group
policies and cannot pinpoint what's overiding the "User
must change password at next logon" policy.
I am using a temporary workaround but it time consuming.
When the user send a password reset request I change the
password and get the user on the phone. I tell them what
the password is reset to and then have them log in then
do a Ctl+Alt+Del and click the change password button and
choose a new password. This as I say though is very time
consuming. Can you help me resolve this problem

 

[Steven L Umbach]

Check their user account properties to make sure they are not restricted
from changing passwords. If you enable auditing of account management in the
Domain Controller Security Policy, you may find useful info in the security
log for failed events for account management. If these are XP Pro computers
having this problem, make sure that the domain controllers do NOT have the
security option set for "additional restrictions for anonymous access" set
to no access without explicit anonymous permissions as there effective
setting. You can look under Local Security Policy/security settings/local
policies/security options to view the setting and also check the registry
setting. See the KB link below for that.

http://support.microsoft.com/?kbid=246261

Depending on your domain makeup make sure that the pdc fsmo domain
controller is operational and look in the Event Viewer of it for any
problems. It is also possible that the everyone group does not have proper
permissions to Active Directory user objects. See the link below on how to
check that. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;258788

Try to think if their has been a configuration change around the time this
started happening such as importing a security template or modifying
security policy on domain controllers or domain computers as that may be
related. --- Steve

 

[Mike Robertson]

Thanks Steve, You had it bang on. In a recent audit
finding it was recommended that all anonymous access
privileges should be tightened. Unfortunately "Additional
restrictions for anonymous access" was changed to "no
access without explicit anonymous permission". Once I
changed that and force a policy refresh the problem was
fixed.
Thanks so much for your kind and expeditious assistance.

 

[Steven L Umbach]

OK. Glad it worked and thanks for reporting back. FYI and for others the
paste below is from the Windows 2000 Security hardening guide and explains
some of the ramifications of modifying " additional restrictions for
anonymous connections" . Note that there is a hotfix called 328817 for the
can not change password issue. --- Steve


Set Additional Restrictions for Anonymous Connections

Security Objective: Disable ability of anonymous users to enumerate SAM
accounts and shares.

Recommendations:

. Domain and stand-alone servers - set this to "Do not allow
enumeration of SAM accounts and shares." This setting is equivalent to
RestrictAnonymous set to 1 and frequently, the setting is referred to this
way.

. Laptops and workstations - set this to "No access without explicit
anonymous permissions" (RestrictAnonymous = 2).


Note: The "No access without explicit anonymous permissions" option has the
potential to cause connectivity problems in many environments. Hence, we do
not recommend this setting for systems that need to accept inbound
connections generally. However, because of its great security value, we
encourage testing it thoroughly to evaluate whether it can be used in your
particular environment. Currently, several major incompatibilities with this
setting are known:

1.
When set to "No access without explicit anonymous permissions" on
Exchange 2000 servers, clients will be unable to look up addresses in the
Global Address Book. This issue was fixed in Windows 2000 Service Pack 3.

2.
When set to "Do not allow enumeration of SAM accounts and shares" on a
Windows 2000 domain controller, users on Windows XP, NT, and Macintosh
clients will be unable to change their domain password at logon. A fix for
Windows XP can be obtained from PSS by asking for hotfix 328817. No fix is
available for Windows NT and Macintosh clients.

3.
Down-level clients (Windows 9x and earlier) will be unable to
authenticate to the domain if this is set.

4.
Users on trusting NT 4 domains will be unable to list users from the
trusted Windows 2000 domain.

5.
The Browser Service does not function reliably.

6.
Inter-forest communication will not function correctly.


For more information, please see Microsoft Knowledge Base 246261

Note: On a bastion host system, we recommend seriously considering
configuring this to "No access without explicit anonymous permissions