"You are not allowed to change your password"

J

Jim Becker

On a stand-alone Windows 2000 Advanced Server system (not part of any
AD or PDC environment), if I reset a password and check "User must
change password at next logon," there's a problem.

The user goes to the console, enters his user name and password, and
is prompted to change his password -- so far, so good. However, all
attempts to change his password get the response, "You are not allowed
to change your password." Why is this?

The password meets all password policy requirements on the server. The
minimum age is set to 0, so that's not the problem.

If I uncheck "User must change password at next logon," the user is
then able to log in normally. He's then able to change his password to
the same thing he was trying all along.

At least there's a workaround, but I'd rather take advantage of "User
must change password at next logon."

Jim Becker
 
S

Steven L Umbach

Is the option for the user account on the server for "user can not change password"
disabled/unchecked? net user username should also show that info. --- Steve
 
J

Jim Becker

Steven L Umbach said:
Is the option for the user account on the server for "user can not change password"
disabled/unchecked? net user username should also show that info. --- Steve
Click to expand...

It's not checked. The only checked item is "user must change password
at next logon." If that's checked, the user is told he doesn't have
permission to change the password. If it's unchecked, the user can log
in and change his password manually.

We've reproduced this for multiple accounts, in and not in the
Administrators group.

Jim Becker
 
S

Steven L Umbach

I have seen that for AD users but never a local computer. For AD users it usually is
a result of not having everyone permissions for change password to the users account.
I can not think of anything else offhand other than try enabling auditing of account
management on that computer and see if anything is generated in the security log in
Event Viewer. --- Steve
 
J

Jim Becker

Found the answer...

The template Win2kSrvGold_R1.0.1.inf from www.cisecurity.org had been
applied (with some local edits) to that server. It included the
following:

; *2.2.2.7 Require logon to change the password
RequireLogonToChangePassword = 1

This is undocumented in the companion guide that came with the
security template, and it's not displayed by the security snap-in. The
resulting behavior, although it had been documented (poorly IMO) in
NT4, is undocumented in Windows 2000. I can find no way to set it
except via the security template.

The effect is that the "User must change password at next logon"
checkbox is rendered useless. If it's checked, the user can't change
the password, and that's that. An administrator intending to issue a
one-use password can't use that checkbox.

When we changed the template to set that value to 0 instead of 1, all
was well.

Jim Becker
 
S

Steven L Umbach

Thanks for taking the time to post back. I was wondering if you had applied any
security templates to it. --- Steve
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Administrator not allowed to change local security settings 2
Users unable to change password at logon 5
User unable to change Password 2
Can a GINA STUB fulfil my requirement? 0
User must change password at next logon...strange behaviour 1
"You are not authorized to change your password at this time" 1
Unable to change the password, C00000BE 1
users can't change password 3

Top