Re: New users cannot change initial password?

Hauke Fath <dont.spam.usenet@googlemail.com> wrote:
> All,
>
> this is definitely an FAQ, it's just that the answers Google provided
> me with don't seem to apply to my problem...
>
> I have a standalone Windows 2003 terminal server here with two dozen
> freshly-created accounts. To make sure people set half decent
> passwords, I ticked "User must change password at next logon".
>
> What happened next is that users were requested to change their
> password, then told
>
> "You do not have permission to change your password."
>
> OTOH, after administrator forces a new password, they can login and
> change their password within the session.
>
> The MS knowledgebase articles that I came across either deal with
> passwords expiring, or older OS versions.
>
> Does anybody have any TS2003 related wisdom to share?
>
> hauke

Can you double check that the users don't also have "user cannot change
password" ticked in their profile properties? I'm setting up my reply to
crosspost to microsoft.public.windows.server.general as your question really
doesn't have anything to do with TS specifically.

 

[f'up2 microsoft.public.windows.server.general]

Lanwench [MVP - Exchange]
<lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote:

> Hauke Fath <dont.spam.usenet@googlemail.com> wrote:
> > I have a standalone Windows 2003 terminal server here with two dozen
> > freshly-created accounts. To make sure people set half decent
> > passwords, I ticked "User must change password at next logon".
> >
> > What happened next is that users were requested to change their
> > password, then told
> >
> > "You do not have permission to change your password."
> >
> > OTOH, after administrator forces a new password, they can login and
> > change their password within the session.
> >
> > The MS knowledgebase articles that I came across either deal with
> > passwords expiring, or older OS versions.
>
> Can you double check that the users don't also have "user cannot change
> password" ticked in their profile properties?

I checked; they don't (now that would be a lethal combination, wouldn't
it...).

hauke

--
Now without signature.

 

What is your password policy for minimum password age? ;-)



Hauke Fath wrote:
> [f'up2 microsoft.public.windows.server.general]
>
> Lanwench [MVP - Exchange]
> <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote:
>
>> Hauke Fath <dont.spam.usenet@googlemail.com> wrote:
>>> I have a standalone Windows 2003 terminal server here with two dozen
>>> freshly-created accounts. To make sure people set half decent
>>> passwords, I ticked "User must change password at next logon".
>>>
>>> What happened next is that users were requested to change their
>>> password, then told
>>>
>>> "You do not have permission to change your password."
>>>
>>> OTOH, after administrator forces a new password, they can login and
>>> change their password within the session.
>>>
>>> The MS knowledgebase articles that I came across either deal with
>>> passwords expiring, or older OS versions.
>>
>> Can you double check that the users don't also have "user cannot
>> change password" ticked in their profile properties?
>
> I checked; they don't (now that would be a lethal combination,
> wouldn't it...).
>
> hauke

--
/kj

 

kj [SBS MVP] <KevinJ.SBS@SPAMFREE.gmail.com> wrote:

> What is your password policy for minimum password age? ;-)

0 days. )

Basically, I stuck with the defaults. Unfortunately, the policy "Allow
users to change password at login dialog" seems to be missing... and I
don't want to baby-sit two dozen users through setting their password -
and making sure they do change an initial password.

hauke



--
Now without signature.

 

Hauke Fath wrote:
> kj [SBS MVP] <KevinJ.SBS@SPAMFREE.gmail.com> wrote:
>
>> What is your password policy for minimum password age? ;-)
>
> 0 days. )
>
> Basically, I stuck with the defaults. Unfortunately, the policy "Allow
> users to change password at login dialog" seems to be missing... and I
> don't want to baby-sit two dozen users through setting their password
> - and making sure they do change an initial password.
>
> hauke

That's a per user object setting not a policy setting. Did you modify any
default security configurations? Are the users in an OU structure or in the
default "users' container?



--
/kj

 

kj [SBS MVP] <KevinJ.SBS@SPAMFREE.gmail.com> wrote:

> Hauke Fath wrote:
> > Basically, I stuck with the defaults. Unfortunately, the policy "Allow
> > users to change password at login dialog" seems to be missing... and I
> > don't want to baby-sit two dozen users through setting their password
> > - and making sure they do change an initial password.
>
> That's a per user object setting not a policy setting.

Well, as I said, "User cannot change password" is off. And "[Local
Security Settings]::Local Policies::User Rights Assignment" doesn't have
anything related.

What is logged as security event, btw., is "The specified account's
password has expired." Nothing about the failed attempt to set a new
password there.

> Did you modify any default security configurations?

I ran "Administrative Tools::Security Configuration Wizard", yes. I just
reviewed the policy I created, and there's nothing about users and
passwords in it.

> Are the users in an OU structure or in the default "users' container?

They are all local accounts, if that answers your question?

hauke

--
Now without signature.

 

Hauke Fath <dont.spam.usenet@googlemail.com> wrote:

> > Did you modify any default security configurations?
>
> I ran "Administrative Tools::Security Configuration Wizard", yes. I just
> reviewed the policy I created, and there's nothing about users and
> passwords in it.

Resolution: In "Local Security Settings::Local Policies::Security
Options", the policy "Accounts: Limit local account use of blank
passwords to console only" was set to "enabled".

The resulting error kind of makes sense, not logging it was less than
helpful. I _thought_ I had tried an account with a pre-set password !=
"", but maybe I didn't.

hauke

--
Now without signature.

 

Hauke Fath wrote:
> Hauke Fath <dont.spam.usenet@googlemail.com> wrote:
>
>>> Did you modify any default security configurations?
>>
>> I ran "Administrative Tools::Security Configuration Wizard", yes. I
>> just reviewed the policy I created, and there's nothing about users
>> and passwords in it.
>
> Resolution: In "Local Security Settings::Local Policies::Security
> Options", the policy "Accounts: Limit local account use of blank
> passwords to console only" was set to "enabled".
>
> The resulting error kind of makes sense, not logging it was less than
> helpful. I _thought_ I had tried an account with a pre-set password !=
> "", but maybe I didn't.
>
> hauke

Thanks for posting back your resolution so that others can benefit.

--
/kj

 

kj [SBS MVP] <KevinJ.SBS@SPAMFREE.gmail.com> wrote:

> Thanks for posting back your resolution so that others can benefit.

Sure - it's the least I can do... this is USENET, after all.

Plus, I may have to comeback with more questions.

hauke

--
Now without signature.