"You do not have permission to change your password" only when expired

2

22of3

Hi,

Users in our Windows 2003 AD domain (upgraded from NT4) that wait until
their password has expired before changing it receive the error "You do
not have permission to change your password" when they are forced to
change it. Users can change their password fine any day up until it has
actually expired.

We have restrictanonymous and restrictanonymoussam both set to 1 on the
domain controllers.

Any help would be appreciated. (Most posts I have read detail the
opposite of the above problem e.g. can not change password until it has
expired.)
 
A

Adam

22of3 said:
Hi,

Users in our Windows 2003 AD domain (upgraded from NT4) that wait until
their password has expired before changing it receive the error "You do
not have permission to change your password" when they are forced to
change it. Users can change their password fine any day up until it has
actually expired.

We have restrictanonymous and restrictanonymoussam both set to 1 on the
domain controllers.

Any help would be appreciated. (Most posts I have read detail the
opposite of the above problem e.g. can not change password until it has
expired.)
Click to expand...

What is EveryoneIncludesAnonymous on the DCs? What OS are the clients
runnng?
 
2

22of3

Hi,

EveryoneIncludesAnonymous is set to 0. Clients are fully patched XP SP2
machines.
 
S

Steven L Umbach

The information below says it is for Windows 2000 domain but you may also
want to check it out for your domain in that "everyone" needs change
password permission for user accounts.

http://support.microsoft.com/?id=242795

The Everyone group has Change Password permissions on all computer and user
objects so that unauthenticated or "anonymous" users or computers are able
to change their passwords when they expire without having to be
authenticated first. If the anonymous user is denied the ability to change
passwords, the user would be unable to change the password without logging
on. The Access Control List (ACL) editor can be used to revoke this
permission, but use this editor with caution.

For additional information, click the article number below to view the
article in the Microsoft Knowledge Base:
258788 (http://support.microsoft.com/kb/258788/EN-US/) Cannot Change
Password in Windows Without Logging on to Domain
 
2

22of3

Hi,

I checked and the Everyone group already has the access as detailed in
those two MS articles. (Ability to change password on all user and
computer objects). So no luck there.

Since EveryoneIncludesAnonymous is set to 0 (on the domain controllers)
could that be what the problem is? Would I need to give "Anonymous
Logon" the rights to change password to get around the need for setting
EveryoneIncludesAnonymous to 1?

thanks again
 
R

Roger Abell [MVP]

22of3 said:
Hi,

I checked and the Everyone group already has the access as detailed in
those two MS articles. (Ability to change password on all user and
computer objects). So no luck there.

Since EveryoneIncludesAnonymous is set to 0 (on the domain controllers)
could that be what the problem is? Would I need to give "Anonymous
Logon" the rights to change password to get around the need for setting
EveryoneIncludesAnonymous to 1?
Click to expand...

That should not be needed with client machines at XP
 
S

Steven L Umbach

I would not think so for XP SP2 but you certaily can try it. I suggest that
you also post in the Active_directory newsgroup to see if anyone there can
help. The other thing you might try is to enable auditing of directory
access for failure only [even if just temporarily] in Domain Controller
Security Policy and then audit the root domain container and the container
that contains the users for full control [if it does not inherit auditing
from the domain container] for user objects only for everyone, anonymous,
and self to see if anything is then found in the security logs of the domain
controllers next time it happens.

Steve
 
J

Joe Richards [MVP]

Out of curiosity, what is the pwdProperties attribute setting on your
domain head NC?

You can get that with

adfind -default -s base pwdProperties



--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
2

22of3

pwdProperties: 0

I will trawl the event logs on the DC's to see if I can get some more
info on the error and test auditing the events that you have suggested.

cheers
 
J

Joe Richards [MVP]

Well that kills my thought.

I would say you will probably end up breaking down to network traces and
trying to work out exactly what is happening or possibly calling MSFT
and opening a ticket.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
2

22of3

Thanks for the help. I will continue looking into the problem and will
get MS involved if required. If anything comes up, I will post back.

cheers
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

You do not have permission to change your password 2
XP clients can't change password 6
laptop cached password and AD expired password 0
Users cannot change password 1
Password Expiration Box 1
You do not have permission to change your password 6
password expired on AD cannot login using cached pw on laptop 1
"You are not authorized to change your password at this time" 1

Top