users unable to change password

R

rwiedower

Applied registry change to both systems and rebooted. Tested client machine.
It didn't work.

One question: what type of key was the "RefusePasswordChange" supposed to
be? Since "DiablePasswordChange" was a DWORD, I set it to be as DWORD as
well. That's what I was supposed to do, correct?

eol,

Reed
 
S

Seaver

Dear Reed,

The "RefusePasswordChange" key can be set to 1 on DCs to disable the
machine account's change. The provided steps are aimed to ensure that your
registry entries are configured correctly. The DWORD "DiablePasswordChange"
value needs to be set "0" as well.

After the reboot, please repeat the steps I've provided in initial
response, and then test the situation. For your convenience, I've pasted
them again as below:

a. Start the Active Directory Users and Computers tool, right-click the
Domain Controllers container, and then click Properties.
b. Click the Group Policies tab, click the Default Domain Controllers
policy, and then click Edit.
c. Expand the following items in the policy:

Computer Configuration
Windows Settings
Security Settings
Local Policies
User Rights Assignment

d. Double-click "Access this computer from the network", click Add, click
Browse, and then add Everyone and Authenticated Users.
e. Click OK in each dialog box or window to quit the policy editor. Close
the domain controller properties, and then quit Active Directory Users and
Computers.
f. At a command prompt, type "secedit /refreshpolicy machine_policy
/enforce" (without the quotation marks), and then press ENTER.

Regards,

Seaver
 
R

rwiedower

Okay, do I need to set the 'RefusePasswordChange" to "1" or "0"? Originally,
you seemed to indicate that I should set it to "0" but this latest e-mail
implies that I should set it to "1". Which is it? Once I have your answer
I'll proceed with the rest of the steps.

end of line,

Reed
 
S

Seaver

Dear Reed,

The "RefusePasswordChange" key can be set to 1 on DCs to disable the
machine account's change. I suggest that you set it "0" to disable that
function. Thanks.

- Seaver
 
R

rwiedower

I followed each of the steps outlined in the earlier post.

1) Made the registry change (although both were already set to "0").

2) Rebooted both DCs.

3) Made the GPO change (although the GPO was already setup to allow the
"everyone" and "authenticated users" groups access).

4) Refreshed the security settings on the workstation.

5) Logged in with an user account whose password is past the expiration
period. It prompted me to change it. I attempted to do so and, once again,
received the "you do not have permission to change your password" error
dialog box.

What can I try next?

end of line,

Reed Wiedower
 
R

rwiedower

Thanks to some helpful folks at MS, this issue has now been resolved. It
involved a hotfix being applied, but hopefully by the time XP service pack 2
(the hotfix was for the workstations, not the domain controller!) rolls out
it'll be included in it. Thanks again for everyone's help.

end of line,

Reed
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Domain users can not change there password 3
User cannot change password 1
User password group policy 3
Users unable to change password 1
Password policy 2
AD and Password policy question 12
Users Cannot Change Password 1
Shortcut to change password dialog 3

Top