Re: Error on password reset

If it's permissions related, my usual way of dealing with this is to use
auditing to see what rights are being used during the execution.
My first guess would be something along the lines of inheritance, but that's
a wild, wild guess. Try turning up the auditing, repeat the process and
read the event details to see what events were used and which weren't. Also,
try creating a new group and granting the permissions to a newly created
user (remove the legacy administration issues) and see if you get the same
issue.

Al


"Josh Messerschmitt" <josh@xxxxxxxxxxxxxx> wrote in message
news:OPVYmeeJGHA.3904@xxxxxxxxxxxxxxxxxxxxxxx
> Any idea why I would get the following error? The user has 'Full Control'
> to the OU & all child objects, all of a sudden (less than a week ago), a
> group in a different domain (create users, reset pw, change pw) received
> this error - giving them full control made no difference. Also tried a
> user in the same domain, it also didn't work. Even though the error below
> is upon user creation, they also can't reset passwords on existing
> accounts. FYI: They have the same rights across many domains, this is the
> only one that is failing - domain is in Native Mode.
>
> 'The password for testtest cannot be set due to insufficient privileges.
> Windows will attempt to disable this account. If this attempt fails, the
> account will become a security risk. Contact an administrator as soon as
> possible to repair this. Before this user can log on, the password should
> be set, and the account must be enabled.'
>
> 'Windows cannot complete the password change for user because: Access is
> denied.'
>
> There are 2 dc's: 1 Server 2003 & 1 Server 2000 - The 2000 box isi the GC
> & nothing else. I'm not getting anything in the security event log, but I
> am getting a lot of 5722, 5723, 5513, & 5790 error in the system log by
> the same 10 machines. Those errors have been ongoing for over a year,
> though.
>
> I followed the KB on resetting the secure channel between the DC's,
> stopping the KDC on the non-PDC emulator and what-have-you, but this did
> not help in any way (that I know of).
>
> Any ideas?
> --
> Josh Messerschmitt
>


.

Relevant Pages

  • Re: User Account and Rights questions
    ... If you were not audition account management events so that you ... could try chasing this down in the security event log, ... rights have not been modified. ...
    (microsoft.public.windows.server.security)
  • Re: Prevent changes to Administrator password
    ... What I am trying to do is give Taz1972 some options to minimize the risk or make it harder for a lower-level DA to reset the password for the EA account. ... * This posting is provided "AS IS" with no warranties and confers no rights! ... > By adding the Deny Write Permissions ACE, ... > permission to modify the ACL on AdminSDHolder. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Windows 2003 Users vs Software
    ... You need to have both an admin and a limited account ... >> as a limited user, to effect, "the software has not been installed ... The users do not have rights to install programs. ...
    (microsoft.public.security)
  • Re: Incoming E-Mail - cant create contact in OU
    ... already have the application pool delegated rights to the OU. ... In my experience it is because you didn't quite delegate enough rights to ... the account in the OU. ...
    (microsoft.public.sharepoint.windowsservices)
  • Re: Incoming E-Mail - cant create contact in OU
    ... Go to the OU in security/advanced I added my sharepoint application pool ... that account a little (if the web app is compromised or something, ... Now I understand that you have given the account "full rights" of the OU, ... So I started with giving the app pool account domain admins permissions then ...
    (microsoft.public.sharepoint.windowsservices)
Loading