Re: Domain users unable to change password

As I indicated, if the user logs onto the domain using an ICA or RDP client,
they can change the password with no problem. If, however, they do a domain
logon from the XP logon screen and try to change the password, they are not
allowed. I am able to change the user's password from the Active Directory
U&C plug-in on the DC.

I verified that the Domain GPO allows "Everyone" to change password. Our
domain is a windows 2000 domain.

I did notice that the Security Policy Setting for "Additional restrictions
for anonymous connections" is set for "Do not allow enumeration of SAM
accounts and shares", not "No access without explicit anonymous
permissions". Could this affect it? I'm going to try changing it to
"Undefined" and see if that has any impact...

Good suggestion about the Event Logs.....

--
Regards,
Hank Arnold

"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxx> wrote in message
news:u%23WuoampFHA.3244@xxxxxxxxxxxxxxxxxxxxxxx
> Check their user accounts in AD Users and Computer to make sure that they
> are not configured to not allow user to change password in account
> properties. Also see if a user can change their password AFTER logging
> onto the domain which may be relevant per KB 258788 that I have listed
> further down.
>
> I can't think of a Group Policy setting offhand but if you have a Windows
> 2003 domain controller try running the Resultant Set of Policy mmc snapin
> in logging mode for a user/computer that is having this problem to see the
> settings configured for the user and the GP applying them. You can also
> use the mmc snapin for RSOP on the XP Pro computer but I prefer to do it
> on a domain controller. If you are not using Group Policy Management
> Console yet that is something you should consider to help manage and
> troubleshoot GP.
>
> There were some issues in the past with not being able to change passwords
> with XP Pro but I though that they were worked out in SP2. One was that
> Windows 2000 domain controllers having the security option for additional
> restrictions for anonymous connections configured to be - no access
> without explicit anonymous permissions. That security option could have
> been configured on a domain controller in either Local Security Policy or
> Domain Controller Security Policy. The other issues in the links below may
> also be of interest.
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;258788
> http://support.microsoft.com/default.aspx?scid=kb;EN-US;273004
>
> Since you are having domain wide problem I would run the support tools
> netdiag, dcdiag, and gpotool on a domain controller or two [at least pdc
> fsmo] and netdiag on one of the problem domain computers. Those tools will
> check for a variety of problems including dns, kerberos, dc list, network
> connectivity, replication, and secure channel/computer account integrity.
> Also look in the logs using Event Viewer of the domain controllers and a
> problem domain computer to see if anything pertinent is found. --- Steve
>
> "Hank Arnold" <rasilon@xxxxxxx> wrote in message
> news:%23bigb9ipFHA.272@xxxxxxxxxxxxxxxxxxxxxxx
>> I'm still having this problem.....
>>
>> We are setting up our workstations, so that they do a domain logon
>> instead of a local logon. Everything is working just fine except for one
>> thing: when the domain GPO expires the password and prompts them to
>> change it, they can't.
>>
>> When prompted, they click on "OK" and the expected window pops up with
>> their old password in "*****" and fields for the new password to be
>> entered and confirmed. The problem is that once they enter it, the system
>> comes back and says that they are not allowed to change it. Needless to
>> say, an admin has to do it for them.....
>>
>> If, however, they log onto the TS server directly, either with a Citrix
>> ICA client or RDP, they are able to accomplish the change. This leads me
>> to believe that it's a GPO setting or such on the local workstation, not
>> a domain GPO issue....
>>
>> The workstations in question are running Windows XP (98% w/SP2).....
>>
>> --
>> Regards,
>> Hank Arnold
>>
>>
>>
>
>


.

Relevant Pages

  • Re: issue accessing an AD server
    ... You can reset local security settings to default defined levels as described ... However on a domain controller, ... Security Policy will override user rights assignments. ... > restore the server from tape. ...
    (microsoft.public.win2000.security)
  • Re: File/print sharing between 98/XP/2003 Mixed Domain
    ... the other on how to enable ntlmv2 on a W98 computer. ... In addition for the mean time in both Domain Security Policy and Domain Controller ... > several Windows 98SE clients that have shared printers. ...
    (microsoft.public.win2000.networking)
  • Re: security log anomolies
    ... object access in particular can generate a huge amount of events especially ... auditing of account logons would be most ... overriding Local Security Policy. ... controllers in particular as Domain Controller Security Policy will override ...
    (microsoft.public.win2000.security)
  • Re: logon from the server machine !
    ... The default Domain Controller policy in Windows Server 2003 does not allow ... Security Policy setting. ... Policies/User Rights Assignment - and add the user to the Allow Local Logon ...
    (microsoft.public.windows.server.general)
  • Re: Windows Server 2003 VM joining a domain RPC fails
    ... on the domain controller I see some Security Audit ... logs that show a Authentication Ticket sent at the time i try to join ... Terminal Server. ...
    (microsoft.public.windows.server.general)