user cannot change password

[hayesp]

Hi, I am getting "access denied" when a user attempts to change their password when prompted by the server.This initially was only with 9x pc's but now it's with all w2k and xp aswell. Any help would be appreciated.
Thanks,
Paul

 

[Jump1ng]

Have you looked at the obvious thing...Does the users have rights to change the password?

---
Make the best use of what is in your power, and take the rest as it happens.

 

[hayesp]

I have checked all of the things that i could see as obvious. I even checked the security on the server and the only thing that I found was that "additional restrictions for anonymouse connections" has been set to "no access without explicit anonymouse permissions" that had been flagged by MS Baseline security analyser as a security flaw. I have reset this to "not defined" to see if it will get around the problem but I would prefer not to have to leave this undefined

 

[enbw]

This may be obvious, but under the account tab is change password ticked, this will over rule any gpo settings.

 

[rphips]

hayesp

Sometimes the security system of AD will not let users change passwords when the original password does not meet kerios security measures.

If Kerios security is set then a password should be at least 6 characters and have at least 1 capital letter and a number or a special character.

To get around the flaw you will have to change the password for them, then set the field (user must change password on next login) and have them change it when prompted.

Now what is wierd and seems to be a flaw in Kerios is this happens ramdonly and can even happen when the original password meets critria.



bob

"ZOINKS !!!!!"

Shaggy

 

[hayesp]

I have checked the account tab etc. I have also checked the kerberos settings and they aren't defined.
thanks for the help anyway
Regards,
Paul

 

[h11]

Check to make sure that complexity is not enabled. Also try changing their password and use a complex password such as LKmnpas22! and see if that works. If it works tell the userer they need to use a password with at least two capital letters, 2 numbers, 1 special character and can not be a word and must be at least 8 characters long.

 

[Auger282]

if the password expiration date has been passed you may need to kick it forward for them to be able to change it again.

 

[mlichstein]

Sometimes the security system of AD will not let users change passwords when the original password does not meet kerios security measures

I think you are referring to Kerberos, but regardless, password complexity is controlled by passfilt.dll. Kerberos has nothing to do with password complexity. And if your password complexity is set to certain criteria, it isn't a flaw when you try to change the password to something that doesn't meet those criteria.

You also get a pretty specific error when your password does not meet the complexity requirements, rather than access denied.

Some things to check are minimum password age (has enough time elapsed since the last change?), the "user must change password at next logon" and "user cannot change password" boxes on the account tab for the user.

 

[h11]

Is this a nt 4 domain or a ad structure first? If is it is ad. Ad does not use passfilt.dll. Look under you local security setting, account policy, password policy and see if you problem lies their.

 

[bofhrevenge2]

I'm pretty sure you will find that AD does use passfilt.dll for password complexity.

 

[hayesp]

It is an AD w2000 domain. I have checked the security settings - complexity requirements of the passwords and the kerberos etc but there is nothing to suggest that it is here that the problem lies.

 

[h11]

What does the event log say on domain controller under security?