"You are not allowed to change your password"

G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

On a stand-alone Windows 2000 Advanced Server system (not part of any
AD or PDC environment), if I reset a password and check "User must
change password at next logon," there's a problem.

The user goes to the console, enters his user name and password, and
is prompted to change his password -- so far, so good. However, all
attempts to change his password get the response, "You are not allowed
to change your password." Why is this?

The password meets all password policy requirements on the server. The
minimum age is set to 0, so that's not the problem.

If I uncheck "User must change password at next logon," the user is
then able to log in normally. He's then able to change his password to
the same thing he was trying all along.

At least there's a workaround, but I'd rather take advantage of "User
must change password at next logon."

Jim Becker
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Is the option for the user account on the server for "user can not change password"
disabled/unchecked? net user username should also show that info. --- Steve


"Jim Becker" <jbecker@ui.urban.org> wrote in message
news:c113b52c.0407141225.47f4e9ba@posting.google.com...
> On a stand-alone Windows 2000 Advanced Server system (not part of any
> AD or PDC environment), if I reset a password and check "User must
> change password at next logon," there's a problem.
>
> The user goes to the console, enters his user name and password, and
> is prompted to change his password -- so far, so good. However, all
> attempts to change his password get the response, "You are not allowed
> to change your password." Why is this?
>
> The password meets all password policy requirements on the server. The
> minimum age is set to 0, so that's not the problem.
>
> If I uncheck "User must change password at next logon," the user is
> then able to log in normally. He's then able to change his password to
> the same thing he was trying all along.
>
> At least there's a workaround, but I'd rather take advantage of "User
> must change password at next logon."
>
> Jim Becker
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message news:<HyiJc.91609$XM6.62992@attbi_s53>...
> Is the option for the user account on the server for "user can not change password"
> disabled/unchecked? net user username should also show that info. --- Steve

It's not checked. The only checked item is "user must change password
at next logon." If that's checked, the user is told he doesn't have
permission to change the password. If it's unchecked, the user can log
in and change his password manually.

We've reproduced this for multiple accounts, in and not in the
Administrators group.

Jim Becker
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

I have seen that for AD users but never a local computer. For AD users it usually is
a result of not having everyone permissions for change password to the users account.
I can not think of anything else offhand other than try enabling auditing of account
management on that computer and see if anything is generated in the security log in
Event Viewer. --- Steve

"Jim Becker" <jbecker@ui.urban.org> wrote in message
news:c113b52c.0407150659.6debd6e0@posting.google.com...
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:<HyiJc.91609$XM6.62992@attbi_s53>...
> > Is the option for the user account on the server for "user can not change
password"
> > disabled/unchecked? net user username should also show that info. --- Steve
>
> It's not checked. The only checked item is "user must change password
> at next logon." If that's checked, the user is told he doesn't have
> permission to change the password. If it's unchecked, the user can log
> in and change his password manually.
>
> We've reproduced this for multiple accounts, in and not in the
> Administrators group.
>
> Jim Becker
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Found the answer...

The template Win2kSrvGold_R1.0.1.inf from www.cisecurity.org had been
applied (with some local edits) to that server. It included the
following:

; *2.2.2.7 Require logon to change the password
RequireLogonToChangePassword = 1

This is undocumented in the companion guide that came with the
security template, and it's not displayed by the security snap-in. The
resulting behavior, although it had been documented (poorly IMO) in
NT4, is undocumented in Windows 2000. I can find no way to set it
except via the security template.

The effect is that the "User must change password at next logon"
checkbox is rendered useless. If it's checked, the user can't change
the password, and that's that. An administrator intending to issue a
one-use password can't use that checkbox.

When we changed the template to set that value to 0 instead of 1, all
was well.

Jim Becker
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Thanks for taking the time to post back. I was wondering if you had applied any
security templates to it. --- Steve

"Jim Becker" <jbecker@ui.urban.org> wrote in message
news:c113b52c.0407161453.e8577d3@posting.google.com...
> Found the answer...
>
> The template Win2kSrvGold_R1.0.1.inf from www.cisecurity.org had been
> applied (with some local edits) to that server. It included the
> following:
>
> ; *2.2.2.7 Require logon to change the password
> RequireLogonToChangePassword = 1
>
> This is undocumented in the companion guide that came with the
> security template, and it's not displayed by the security snap-in. The
> resulting behavior, although it had been documented (poorly IMO) in
> NT4, is undocumented in Windows 2000. I can find no way to set it
> except via the security template.
>
> The effect is that the "User must change password at next logon"
> checkbox is rendered useless. If it's checked, the user can't change
> the password, and that's that. An administrator intending to issue a
> one-use password can't use that checkbox.
>
> When we changed the template to set that value to 0 instead of 1, all
> was well.
>
> Jim Becker