One of our users just showed me that they could change their network login password by pressing Ctrl-Alt-Del in XP and click on Change Password. Server OS is Windows 2003 R2 and Active Directory has the user accounts marked with "user cannot change password". What am I missing here? Is something in Group Policy allowing this?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Prevent users in XP from changing network password
- Thread starter gshurman
- Start date
Are the users logging on via network credentials or local credentials? If network, was he actually able to change his password?
I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.
There are no more PDC's! There are DC's with FSMO roles!
I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.
There are no more PDC's! There are DC's with FSMO roles!
- Thread starter
- #3
- Thread starter
- #5
Could the user actually change the password though?? Just having the option 'Change Password' available after pressing ctrl atl del does not mean that they can actually change it
Paul
MCSE 2003
MCSA 2003
MCITP Enterprise Administrator
If there are no stupid questions, then what kind of questions do stupid people ask? Do they get smart just in time to ask questions?
Scott Adams
Paul
MCSE 2003
MCSA 2003
MCITP Enterprise Administrator
If there are no stupid questions, then what kind of questions do stupid people ask? Do they get smart just in time to ask questions?
Scott Adams
As pagy has reiterated...the question to be answered is was the user or users actually able to change their password? Not just have the option...did they change their password, log off the system, and then log back on the system with that new password using their network USERID?
I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.
There are no more PDC's! There are DC's with FSMO roles!
I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.
There are no more PDC's! There are DC's with FSMO roles!
- Thread starter
- #8
And then they can logon to their computer using their network credentials with the changed password?
It really would save time if you'd answer both parts to the questions we ask...
I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.
There are no more PDC's! There are DC's with FSMO roles!
It really would save time if you'd answer both parts to the questions we ask...
I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.
There are no more PDC's! There are DC's with FSMO roles!
- Thread starter
- #10
Well, besides my own belief that users should always have the ability to change their passwords, and that no one else should ever have that password unless a business isn't concerned about security.....
How many DCs & GCs? If you run dcdiag from each one, are there any replication issues? If you drop to a CMD prompt from one of these machines, and do a echo %logonserver%, does it list a DC that shows the checkbox checked that they can't change their password?
Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
How many DCs & GCs? If you run dcdiag from each one, are there any replication issues? If you drop to a CMD prompt from one of these machines, and do a echo %logonserver%, does it list a DC that shows the checkbox checked that they can't change their password?
Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
- Thread starter
- #12
This is indeed strange. Have you checked your GPO's to ensure they're not conflicting? The thing is the AD object would overrule any GPO...but just to be doubly sure.
Are there users that can't change their password?
Create a test user without any GPO's being applied to the OU their in and see if the issue presents itself.
I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.
There are no more PDC's! There are DC's with FSMO roles!
Are there users that can't change their password?
Create a test user without any GPO's being applied to the OU their in and see if the issue presents itself.
I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.
There are no more PDC's! There are DC's with FSMO roles!
- Thread starter
- #14
Yes, please do that. It makes absolutely no sense why it's happening.
I'm willing to bet though, that it's something quite simple.
I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.
There are no more PDC's! There are DC's with FSMO roles!
I'm willing to bet though, that it's something quite simple.
I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.
There are no more PDC's! There are DC's with FSMO roles!
Weird, check the ACL of one of your user objects and look for Deny entries for Change Password on Everyone and SELF.
If the user can change the password then that Deny probably won't be there, hence why they can change the password. Those entries are added when you check 'User cannot change password', so I can't think why it would not have worked in your case. Unless at some point some 'interesting' security changes were made to ACLs in AD????
Paul
MCSE 2003
MCSA 2003
MCITP Enterprise Administrator
If there are no stupid questions, then what kind of questions do stupid people ask? Do they get smart just in time to ask questions?
Scott Adams
If the user can change the password then that Deny probably won't be there, hence why they can change the password. Those entries are added when you check 'User cannot change password', so I can't think why it would not have worked in your case. Unless at some point some 'interesting' security changes were made to ACLs in AD????
Paul
MCSE 2003
MCSA 2003
MCITP Enterprise Administrator
If there are no stupid questions, then what kind of questions do stupid people ask? Do they get smart just in time to ask questions?
Scott Adams
- Status
Similar threads
- Locked
- Question
- Locked
- Question