Access Denied Error while trying to change network passwords 2

[sekermestrovich]

In May 20002, I installed a new Windows2k server in a NT domain. The DC is an NT machine. Up to this point there was an account policy set up for user passwords that expired every 60 days. Since the 2000 server was added to the domain when the 60 days is up and a user puts in a new password, an error message comes up that say "Unable to change password. Access denied".

It goes through all the motions of "Your password for the Domain has expired, you must specify a new one". You OK the screen, input new password and verify new password, then you get error message. This also happens with users in the administrator group.

Any suggestions

 

[MarkUU]

So the 2K box is just a member server? If so then the 2K box should not affect users and changing the passwords. Also make sure the clients are truly loggin on to the domain and not logging on using cached information.

 

[sekermestrovich]

The 2k box is a member server. The users are logging on to the domain. Up to the new server install, every 60 days users would be prompted to change their passwords, and did so successfully. But the first time a user, including administrator, was asked to change their password, as soon as they tried it said access denied.

I agree with you in that the 2k box, since it is only a member server, should not affect users logging on. The only other thing I can think of is the original DC was demoted to a backup and one of the other backups was promoted to the DC. Would that have anything to do with it?

 

[jtb]

WINS, anyone? JTB
Solutions Architect
MCSE-NT4, MCP+I, MCP-W2K, CCNA, CCDA,
CTE, MCIWD, i-Net+, Network+
(MCSA, MCSE-W2K, MCIWA, SCSA, SCNA in progress)

 

[GlenJohnson]

If it was only a couple of users, are you sure it wasn't pebcam? I have an admisitrator here who's not up on MS software, he's a novell person. Wanted to delete a group because he didn't know what it was used for. (PEBCAM = Problem Exists Between Chair And Monitor.)

Glen A. Johnson
Microsoft Certified Professional
glen@nellsgiftbox.com


"What really happens is trivial in comparison to what could occur."
Robert von Musil (1880-1942); Austrian author.

 

[sekermestrovich]

It is all users. Not just a couple. It did the same for the administrator. Wins is working fine.

I'm stumped!

 

[buddafish]

you mentioned that the 1st dc was possibly demoted to a member? the FSMO pdc-emulator role would have defaulted to this machine. do you have a pdc-emulator online? this is necessary for password changes in mixed mode.

just wondering,
scottie

 

[buddafish]

another thought..., are you saying that you added a w2k server into your existing 4.0 domain before upgrading your nt 4.0 pdc to a w2k dc for the domain ?

 

[matt95gsr]

Had the same problem once after one of my guys screwed with my servers. Every user got the "Unable to change password. Access Denied." message when they were forced to change due to expiration date - not very fun. Here's what fixed me:
CAUSE
This problem occurs when the network administrator enables the Windows NT option "User must change password at next logon" for the user account and sets the global account policy "User must log on in order to change password."
WORKAROUND
To work around this problem, either disable the option "User must log on in order to change password" or disable password expiration for the user account.

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q128490

Maybe that will help...?

Matt.

 

[sekermestrovich]

Problem corrected. Thanks Matt!