In an attempt to tighten security, I've somehow managed to revoke users ability to change their own passwords. Naturally I can't find which of several places to look that has done this. Would someone mind giving a brief rundown of what some of the default settings in the various security policies (and elsewhere I might have forgotten) _should_ be?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Users cannot change password
- Thread starter jsd2003
- Start date
Stevehewitt
IS-IT--Management
Hey
I am having this problem too!!! God knows how I have managed it. I personally cannot find anything in any Group Policy that can help. No idea at all, and its been bugging me for a long time now!
If users try to change it BEFORE they are prompted then they can change without problems. If they try to change when the system informs them the password is out of date (or nearly) then Win2k kindly tells them that they do not have access.
If you go to cmd and try NET USER %USERNAME% /DOMAIN on an affected user you can see what the system thinks for password permissions.
(USER MAY CHANGE PASSWORD: YES)
All users have YES on this field, meaning that I have not ticked the "do not allow users to change password" tick box in AD. I am using Win2k SP3.
Can anyone help us?!
Steve Hewitt
I am having this problem too!!! God knows how I have managed it. I personally cannot find anything in any Group Policy that can help. No idea at all, and its been bugging me for a long time now!
If users try to change it BEFORE they are prompted then they can change without problems. If they try to change when the system informs them the password is out of date (or nearly) then Win2k kindly tells them that they do not have access.
If you go to cmd and try NET USER %USERNAME% /DOMAIN on an affected user you can see what the system thinks for password permissions.
(USER MAY CHANGE PASSWORD: YES)
All users have YES on this field, meaning that I have not ticked the "do not allow users to change password" tick box in AD. I am using Win2k SP3.
Can anyone help us?!
Steve Hewitt
Stevehewitt
IS-IT--Management
Hey,
Have you had any luck on the password issue?
Have you had any luck on the password issue?
Hi.
I'm answer you from Colombia, and my english is not good, but you can try this, go to Active Directory User and Computer, click in the menu bar View/Advanced Features, then go to your domain icon, right-clik, Properties go to security tab, Advanced Botton, select a user or group, or add one if you want, select View/Edit botton,in the windows Permission Entry for your domain, select Apply Onto : User Object, and deny the permissions for change password or if you need the permission reset password.
Good Luck.
Candelario Dimas.
MCP, MCSE
I'm answer you from Colombia, and my english is not good, but you can try this, go to Active Directory User and Computer, click in the menu bar View/Advanced Features, then go to your domain icon, right-clik, Properties go to security tab, Advanced Botton, select a user or group, or add one if you want, select View/Edit botton,in the windows Permission Entry for your domain, select Apply Onto : User Object, and deny the permissions for change password or if you need the permission reset password.
Good Luck.
Candelario Dimas.
MCP, MCSE
GlenJohnson
MIS
Did you by chance run the security snap in in mmc?
Glen A. Johnson
Johnson Computer Consulting
MCP W2K
glen@johnsoncomputers.us
Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884
"The one duty we owe to history is to rewrite it."
Oscar Wilde (1854-1900); Anglo-Irish playwright.
Glen A. Johnson
Johnson Computer Consulting
MCP W2K
glen@johnsoncomputers.us
Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884
"The one duty we owe to history is to rewrite it."
Oscar Wilde (1854-1900); Anglo-Irish playwright.
Stevehewitt
IS-IT--Management
I think I did play with the security templates. Didn't seem to effect anything, but about three weeks later everyone was telling me they couldn't login as Windows won't allow them to change their password, but they need too to get into the system!
Weird thing is that if Windows doesn't tell users to change it (expiration) then users can change of their own free will by doing a CTRL-ALT-DEL!!
Thanks for the tips, its a Sunday in the UK and I refuse to work unless necessary, so I will play tomorrow. (And * any useful posts!)
Many thanks people,
Steve
Weird thing is that if Windows doesn't tell users to change it (expiration) then users can change of their own free will by doing a CTRL-ALT-DEL!!
Thanks for the tips, its a Sunday in the UK and I refuse to work unless necessary, so I will play tomorrow. (And * any useful posts!)
Many thanks people,
Steve
- Thread starter
- #8
Steve,
I never did find a solution. And since I've recently lost that job, I won't be trying the above suggestions. I'll pay more attention to what I play around with next time though.
Tough luck to my old boss. Good luck to you tomorrow though.
I never did find a solution. And since I've recently lost that job, I won't be trying the above suggestions. I'll pay more attention to what I play around with next time though.
Tough luck to my old boss. Good luck to you tomorrow though.
GlenJohnson
MIS
Go back and look at your security templates. My home server is down so I can't check for details right now, but the awnser is in the snap ins.
Glen A. Johnson
Johnson Computer Consulting
MCP W2K
glen@johnsoncomputers.us
Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884
"The one duty we owe to history is to rewrite it."
Oscar Wilde (1854-1900); Anglo-Irish playwright.
Glen A. Johnson
Johnson Computer Consulting
MCP W2K
glen@johnsoncomputers.us
Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884
"The one duty we owe to history is to rewrite it."
Oscar Wilde (1854-1900); Anglo-Irish playwright.
Stevehewitt
IS-IT--Management
I'll have a play, thanks for the prompt response!
As soon as I find out I'll post back.
Thanks again,
Steve.
As soon as I find out I'll post back.
Thanks again,
Steve.
GlenJohnson
MIS
Maybe look for something that says 21 days, about the length of time it took the users to have problems.
Glen A. Johnson
Johnson Computer Consulting
MCP W2K
glen@johnsoncomputers.us
Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884
"The one duty we owe to history is to rewrite it."
Oscar Wilde (1854-1900); Anglo-Irish playwright.
Glen A. Johnson
Johnson Computer Consulting
MCP W2K
glen@johnsoncomputers.us
Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884
"The one duty we owe to history is to rewrite it."
Oscar Wilde (1854-1900); Anglo-Irish playwright.
With your Active Directory Users and Computers open, right click on the domain name, then properties > Group Policy > Edit the Default Domain Policy. Under "User Configuration" go to Administrative Templates > System > Logon/Logoff. Right there you have a policy "Disable change Password". Disable this policy.
If you have OU that have their own group policy as well, check this setting there as well.
If you have OU that have their own group policy as well, check this setting there as well.
Stevehewitt
IS-IT--Management
Hi people.
Sorry, I really want to appologise for not posting back sooner.
Still no luck. I have tried all of the solutions suggested above other than the Security templates which I promise I will work on this weekend and on Monday. Just need to do a good backup first ;-)!
Cheers,
Steve.
Sorry, I really want to appologise for not posting back sooner.
Still no luck. I have tried all of the solutions suggested above other than the Security templates which I promise I will work on this weekend and on Monday. Just need to do a good backup first ;-)!
Cheers,
Steve.
- Status
Similar threads
- Locked
- Question
- Locked
- Question