Sign in with
Sign up | Sign in
Your question

User get access denied error when prompted to change passw..

Tags:
  • Security
  • Microsoft
  • Windows
Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
October 7, 2004 9:29:05 AM

Archived from groups: microsoft.public.win2000.security (More info?)

When a User request a password reset the user receives
a "You do not have access to change your password" error.
I've pruned through all my access, security and Group
policies and cannot pinpoint what's overiding the "User
must change password at next logon" policy.
I am using a temporary workaround but it time consuming.
When the user send a password reset request I change the
password and get the user on the phone. I tell them what
the password is reset to and then have them log in then
do a Ctl+Alt+Del and click the change password button and
choose a new password. This as I say though is very time
consuming. Can you help me resolve this problem

More about : user access denied error prompted change passw

Anonymous
a b 8 Security
October 8, 2004 12:32:54 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Check their user account properties to make sure they are not restricted
from changing passwords. If you enable auditing of account management in the
Domain Controller Security Policy, you may find useful info in the security
log for failed events for account management. If these are XP Pro computers
having this problem, make sure that the domain controllers do NOT have the
security option set for "additional restrictions for anonymous access" set
to no access without explicit anonymous permissions as there effective
setting. You can look under Local Security Policy/security settings/local
policies/security options to view the setting and also check the registry
setting. See the KB link below for that.

http://support.microsoft.com/?kbid=246261

Depending on your domain makeup make sure that the pdc fsmo domain
controller is operational and look in the Event Viewer of it for any
problems. It is also possible that the everyone group does not have proper
permissions to Active Directory user objects. See the link below on how to
check that. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;258788

Try to think if their has been a configuration change around the time this
started happening such as importing a security template or modifying
security policy on domain controllers or domain computers as that may be
related. --- Steve



"Mike Robertson" <mikerobertson01@hotmail.com> wrote in message
news:1ede01c4ac69$3c490b20$a601280a@phx.gbl...
> When a User request a password reset the user receives
> a "You do not have access to change your password" error.
> I've pruned through all my access, security and Group
> policies and cannot pinpoint what's overiding the "User
> must change password at next logon" policy.
> I am using a temporary workaround but it time consuming.
> When the user send a password reset request I change the
> password and get the user on the phone. I tell them what
> the password is reset to and then have them log in then
> do a Ctl+Alt+Del and click the change password button and
> choose a new password. This as I say though is very time
> consuming. Can you help me resolve this problem
Anonymous
a b 8 Security
October 8, 2004 9:48:53 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Thanks Steve, You had it bang on. In a recent audit
finding it was recommended that all anonymous access
privileges should be tightened. Unfortunately "Additional
restrictions for anonymous access" was changed to "no
access without explicit anonymous permission". Once I
changed that and force a policy refresh the problem was
fixed.
Thanks so much for your kind and expeditious assistance.
>-----Original Message-----
>Check their user account properties to make sure they
are not restricted
>from changing passwords. If you enable auditing of
account management in the
>Domain Controller Security Policy, you may find useful
info in the security
>log for failed events for account management. If these
are XP Pro computers
>having this problem, make sure that the domain
controllers do NOT have the
>security option set for "additional restrictions for
anonymous access" set
>to no access without explicit anonymous permissions as
there effective
>setting. You can look under Local Security
Policy/security settings/local
>policies/security options to view the setting and also
check the registry
>setting. See the KB link below for that.
>
>http://support.microsoft.com/?kbid=246261
>
>Depending on your domain makeup make sure that the pdc
fsmo domain
>controller is operational and look in the Event Viewer
of it for any
>problems. It is also possible that the everyone group
does not have proper
>permissions to Active Directory user objects. See the
link below on how to
>check that. --- Steve
>
>http://support.microsoft.com/default.aspx?scid=kb;EN-
US;258788
>
>Try to think if their has been a configuration change
around the time this
>started happening such as importing a security template
or modifying
>security policy on domain controllers or domain
computers as that may be
>related. --- Steve
>
>
>
>"Mike Robertson" <mikerobertson01@hotmail.com> wrote in
message
>news:1ede01c4ac69$3c490b20$a601280a@phx.gbl...
>> When a User request a password reset the user receives
>> a "You do not have access to change your password"
error.
>> I've pruned through all my access, security and Group
>> policies and cannot pinpoint what's overiding the "User
>> must change password at next logon" policy.
>> I am using a temporary workaround but it time
consuming.
>> When the user send a password reset request I change
the
>> password and get the user on the phone. I tell them
what
>> the password is reset to and then have them log in then
>> do a Ctl+Alt+Del and click the change password button
and
>> choose a new password. This as I say though is very
time
>> consuming. Can you help me resolve this problem
>
>
>.
>
Anonymous
a b 8 Security
October 8, 2004 10:08:52 PM

Archived from groups: microsoft.public.win2000.security (More info?)

OK. Glad it worked and thanks for reporting back. FYI and for others the
paste below is from the Windows 2000 Security hardening guide and explains
some of the ramifications of modifying " additional restrictions for
anonymous connections" . Note that there is a hotfix called 328817 for the
can not change password issue. --- Steve


Set Additional Restrictions for Anonymous Connections

Security Objective: Disable ability of anonymous users to enumerate SAM
accounts and shares.

Recommendations:

. Domain and stand-alone servers - set this to "Do not allow
enumeration of SAM accounts and shares." This setting is equivalent to
RestrictAnonymous set to 1 and frequently, the setting is referred to this
way.

. Laptops and workstations - set this to "No access without explicit
anonymous permissions" (RestrictAnonymous = 2).


Note: The "No access without explicit anonymous permissions" option has the
potential to cause connectivity problems in many environments. Hence, we do
not recommend this setting for systems that need to accept inbound
connections generally. However, because of its great security value, we
encourage testing it thoroughly to evaluate whether it can be used in your
particular environment. Currently, several major incompatibilities with this
setting are known:

1.
When set to "No access without explicit anonymous permissions" on
Exchange 2000 servers, clients will be unable to look up addresses in the
Global Address Book. This issue was fixed in Windows 2000 Service Pack 3.

2.
When set to "Do not allow enumeration of SAM accounts and shares" on a
Windows 2000 domain controller, users on Windows XP, NT, and Macintosh
clients will be unable to change their domain password at logon. A fix for
Windows XP can be obtained from PSS by asking for hotfix 328817. No fix is
available for Windows NT and Macintosh clients.

3.
Down-level clients (Windows 9x and earlier) will be unable to
authenticate to the domain if this is set.

4.
Users on trusting NT 4 domains will be unable to list users from the
trusted Windows 2000 domain.

5.
The Browser Service does not function reliably.

6.
Inter-forest communication will not function correctly.


For more information, please see Microsoft Knowledge Base 246261

Note: On a bastion host system, we recommend seriously considering
configuring this to "No access without explicit anonymous permissions


"Mike Robertson" <mikerobertson01@hotmail.com> wrote in message
news:153501c4ad35$2a849360$a301280a@phx.gbl...
> Thanks Steve, You had it bang on. In a recent audit
> finding it was recommended that all anonymous access
> privileges should be tightened. Unfortunately "Additional
> restrictions for anonymous access" was changed to "no
> access without explicit anonymous permission". Once I
> changed that and force a policy refresh the problem was
> fixed.
> Thanks so much for your kind and expeditious assistance.
>>-----Original Message-----
>>Check their user account properties to make sure they
> are not restricted
>>from changing passwords. If you enable auditing of
> account management in the
>>Domain Controller Security Policy, you may find useful
> info in the security
>>log for failed events for account management. If these
> are XP Pro computers
>>having this problem, make sure that the domain
> controllers do NOT have the
>>security option set for "additional restrictions for
> anonymous access" set
>>to no access without explicit anonymous permissions as
> there effective
>>setting. You can look under Local Security
> Policy/security settings/local
>>policies/security options to view the setting and also
> check the registry
>>setting. See the KB link below for that.
>>
>>http://support.microsoft.com/?kbid=246261
>>
>>Depending on your domain makeup make sure that the pdc
> fsmo domain
>>controller is operational and look in the Event Viewer
> of it for any
>>problems. It is also possible that the everyone group
> does not have proper
>>permissions to Active Directory user objects. See the
> link below on how to
>>check that. --- Steve
>>
>>http://support.microsoft.com/default.aspx?scid=kb;EN-
> US;258788
>>
>>Try to think if their has been a configuration change
> around the time this
>>started happening such as importing a security template
> or modifying
>>security policy on domain controllers or domain
> computers as that may be
>>related. --- Steve
>>
>>
>>
>>"Mike Robertson" <mikerobertson01@hotmail.com> wrote in
> message
>>news:1ede01c4ac69$3c490b20$a601280a@phx.gbl...
>>> When a User request a password reset the user receives
>>> a "You do not have access to change your password"
> error.
>>> I've pruned through all my access, security and Group
>>> policies and cannot pinpoint what's overiding the "User
>>> must change password at next logon" policy.
>>> I am using a temporary workaround but it time
> consuming.
>>> When the user send a password reset request I change
> the
>>> password and get the user on the phone. I tell them
> what
>>> the password is reset to and then have them log in then
>>> do a Ctl+Alt+Del and click the change password button
> and
>>> choose a new password. This as I say though is very
> time
>>> consuming. Can you help me resolve this problem
>>
>>
>>.
>>
!