Re: permission to change password denied

anonymous_at_discussions.microsoft.com
Date: 06/18/04 

Date: Fri, 18 Jun 2004 08:29:46 -0700

THere are no messages logged at the DC or on the local
machine, other than the success audit where I, as admin,
change the account to require password change at login.

I think that entering the first (valid) password does not
authenticate the user, and that the subsequent
communications are refused since they're not authenticated.

This is not a new observation, I've not ever had this
work. Perhaps it uses a different means of communicating
with the DC in this case ? All other logon processes are
fast and reliable, and the password can be changed after
login without difficulty.

Dave
>-----Original Message-----
>So, if the user is required at first logon to change
password, they enter in
>the original password provided (which authenticates
them), are told to
>change the password, follow the prompts and get access
denied?
>What gets logged at the DC? What workstation OS are the
using and what gets
>logged there?
>
>Al
>
>
>"dlbrum" <anonymous@discussions.microsoft.com> wrote in
message
>news:1e53401c45534$d4e982b0$a401280a@phx.gbl...
>> If I check the box to require password change at first
>> logon, or in the case of a password expiring, the users
>> are prompted to change the password (before logging on).
>>
>> When they follow the prompts, they are not able to
change
>> a password, and get the "you do not have permission to
>> change" message. If they do logon first, they are able
to
>> change passwords at the CNTL-ALT-DEL "Windows Security"
>> dialog without incident.
>>
>> The machines are domain joined, DCs are win2k3 and
win2k.
>>
>> This is inevitably a trouble call.
>>
>> TIA for ideas,
>>
>> dave
>
>
>.
>

Relevant Pages

  • Re: Native Mode possible problems...help!
    ... their password will still be able to logon to an NT 4.0 - but using their ... Windows 2003/2000/NT ... > They NT 4.0 domain controllers will still be able to authenticate users, ... > Why not just upgrade the BDCs to Windows 2000 Server? ...
    (microsoft.public.windows.server.general)
  • Re: Child Domain access
    ... > You wrote...."So you logon TO A PC using a set of credentials from a ... > should be able to authenticate in the child domain with domain / ent admin ... > account which exists in the TRUSTED parent domain? ... So if the PC is in the child domain you can logon to IT ...
    (microsoft.public.windows.server.active_directory)
  • Outlook Anywhere with Cross Realm Trust
    ... I have the trust configured and it will allow me to authenticate using OWA. ... Task Category: Logon ... An account failed to log on. ... This event is generated when a logon request fails. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Advanced Digest Authentication Failure
    ... An IIS 6.0 server setup on a Windows Server 2003 Domain Controller is no ... authenticate clients using Advanced Digest Authentication, ... : Logon Failure: ... : Caller User Name: - ...
    (microsoft.public.inetserver.iis.security)
  • Re: IE no longer saving passwords
    ... You Cannot Access Your MSN E-mail Account or Authenticate with a Web Site in Various Programs ... Internet Explorer Always Prompts for Authentication When Browsing to Web Sites Already Logged on ...
    (microsoft.public.windowsxp.general)