[Preacherpj]

Hey guys -

Not sure if this is a networking question, XP question or Server question......I have a network with one Server2008 R2 Domain Controller and XP SP3 clients. I have password complexity turned on and require the users to change their passwords every 30 days. Recently when a user tried to do this - he gets an error stating

"You donot have permission to change password"

I can reset their PW from the server and check the box that requires users to reset their password - but this is a bandaid and not a fix. I tried searching the forum, but didn't find this particular problem - anyone have any suggestions or ideas?

After some googling I found that I should have the registry keys
HKLM\system\currentcontrolset\control\las\restrictanonymous and restrictanonymoussam set to 0 or 1. I've set them both to one, but still have the issue.

Any and all help is greatly appreciated - thanks!

/R
Ryan

 

[Wand3r3r]

user cannot change password checked?
group policy doing the same on the local?

Since this is not a networking issue but a server OS issue I have moved your post to where it will get more attention.

 

[Preacherpj]

user cannot change password checked?
group policy doing the same on the local?

Since this is not a networking issue but a server OS issue I have moved your post to where it will get more attention.

Thanks for the quick reply, 'User Cannot Change Password isn't checked'.

I'm not sure what you mean by 'Group policy doing the same on the local'?

Going through Server Group Policy - I don't see a place to configure wether a user can change his password or not.

I'm in Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policies and I see the usual Min/Max password length, age, history, complexity requirements.......

 

[Wand3r3r]

what I mean by gpo and local is the message you get can also pertain to the local user account. You should check to make sure local pc accounts are not set to user can not change password.

PCs are joined to the domain, correct?

Check the ACEs/ACLs on the user objects in AD and verify that the "Change Password" Special Permission is set to "Allow" for the respective accounts (likewise, ensure that there is no explicit Deny on the accounts or groups to which the accounts belong to, for example "Everyone").

 

[Preacherpj]

Yes all computers are domain connected and there are no local accounts that users can use.

I've checked the User accounts and verified that they have the ability to change their password, but where do I check group permissions? I thought it would be under ADUC, but I don't see the security options in there.

Thanks for the help, sorry if this is a novice question.

/Ryan

 

[Wand3r3r]

open up the user administrator
go to the member of tab
double click on the group account
you have a number of options here but I am not seeing a "change password" in any of the lists per the microsoft article about checking the acls.

Are the xp boxes on service pack 1?
Did you engage any group policies?

 

[Preacherpj]

The XP machines are all service pack 3, and most of my policy control is local.

I do use Group Policy for enforcing the password policy. But when I look at the Domain Policy, I don't see any controls for allowing/disallowing a user the ability to change his password.

 

[Wand3r3r]

start by backing out the password policy and see if they can then change their passwords.