Users cannot change password

[Guest]

Hi,

when a user logs on and gets the "password expired" notification, he cannot
change password, because "You do not have permission to change your password".

Just as described in KB 258788. Problem : the solution described there, does
not work for us - problem still occurs.

Setting the "password never expires" switch and then tell the user to change
hte PW works - but this can be just a workaround.

Eventlog says "failed to get kerberos ticket".

Any hints ?


Regards
Martin

 

[Guest]

For a user to change the pwd pre-logon, you have to allow anonymous
connections. Since MBSA marked it as critical, I deactivated anonymous logon.
THis also explains why changing pwd after logon worked - that connection is
not anonymous.

Martin

 

[Hank Arnold]

Could you provide some more details on where you made changes and what they
were? TIA.

 

[Guest]

Sure.

Default Domain Policy, Computer Configuration, Windows Settings, Security
Settings, Local Policies, Security Options

The very first setting "Additional restrictions for anonymous connections"
has to be set to "None. Rely on default permissions".

I had it set to "No access without explicit anonymous permissions" first,
which caused the problem in the beginning.


-Martin

 

[Barry]

Hi,

when a user logs on and gets the "password expired" notification, he
cannot
change password, because "You do not have permission to change your
password".

Just as described in KB 258788. Problem : the solution described there,
does
not work for us - problem still occurs.

Setting the "password never expires" switch and then tell the user to
change
hte PW works - but this can be just a workaround.

Eventlog says "failed to get kerberos ticket".

Any hints ?


Regards
Martin

I had smoething similar. It revolves around ther "everyone"group not having
permission to change password on the user account. In AD, go to the users
that are having the trouble, go to "Security", and then advanced. I just hit
the "default" button and apply it.

I've not been configuring security on the user accounts, if you have you may
need to adjsut accordingly!Add everyone and "change password"

 

[Ace Fekay [MVP]]

In

Sure.

Default Domain Policy, Computer Configuration, Windows Settings,
Security Settings, Local Policies, Security Options

The very first setting "Additional restrictions for anonymous
connections" has to be set to "None. Rely on default permissions".

I had it set to "No access without explicit anonymous permissions"
first, which caused the problem in the beginning.


-Martin

There are many beneficial aspects to the MBSA, however, any changes
suggested must be tested out, and may not be the complete answer to lock
down your infrastructure without other consequenses to your productivity and
functionality. If you feel these recommended lockdown settings are a
hinderance, you may want to set it back to default. There's always
compromises to achieve one aspect, but it adversely afeects another.


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

If this post is viewed at a non-Microsoft community website, and you were to
respond to it through that community's website, I may not see your reply
unless that website posts replies back to the original Microsoft forum.
Therefore, please direct all replies ONLY to the Microsoft public newsgroup
this thread originated in so all can benefit or ensure the web community
posts it back to the original forum.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Microsot Certified Trainer
Infinite Diversities in Infinite Combinations.
=================================