Discussion:
Help w/ 'User Must Change Password at next Logon"
(too old to reply)
Marc
2004-09-21 17:26:50 UTC
Permalink
Setup,

Windows server 2003 as a DC (patched, up to date)

Client, Windows 2000 Pro, SP4 (patched, up to date)

The problem I'm having is that when I create users and set their account to
"User must change password at next logon", the user gets the message that
their password has expired and they need to change it. They are presented
with the dialog to change the password BUT after a minute they get the
message "The system cannot change your password now because the domain
<domain_name >is not available."

If I go to ADUC and uncheck the option: "User must change password at next
logon", the user can log in w/ no problems. This makes for a pain because I
have to add 150 users and I want the users to set their own passwords.

I've searched Microsoft and found articles: #"837327 and #324141, but
nothing applies. I even experimentd by giving the "Everyone group" special
permissions to the Users OU to "Change Password" and "Reset Password". Then
I tried Everyone "Full Control" just to test if it was a permission issue on
the Users OU. Nothing seems to have any effect.

I know AD is setup right because once the user logs in, the policies are
applied, etc.

I've searched Google groups too, only to be pointed to the old articles at
MS that apply to Windows 2000.

Am I missing something here?

I had our security guys check the firewall and nothing is being denied by
the clients, so I think that helps rule out a firewall issue.

Please Help, this is making me crazy.

Marc
Marc
2004-09-22 16:15:58 UTC
Permalink
Humm,

This is very strange, why would Microsoft even have this option if it
doesn't work?

Anyone know what Microsoft's best practice is regarding setting up new users
in active directory and wanting the users to choose their own passwords?

Such a powerful server OS but can't do a simple thing like allowing users to
change the password at next logon? There's got to be something I'm missing.

Help?
Users can always change their passwords anytime by using the ctrl-alt-del
key combo. Or you could set the maximum password length to a week then
reset
the GPO policy to a longer period after the end of that week.
Unfortunately I've not had any other result with this other than having
the
same results as you report.
Cary Shultz [A.D. MVP]
2004-09-22 17:24:41 UTC
Permalink
I think that the missing part is that there is a GPO that disallows users to
change their password until prompted by the system to do so. This could be
the reason that they are not able to change their password. Please take a
look at the following MSKB Article:

http://support.microsoft.com/?id=309799

Another possibility is that, as already kinda mentioned, there is a minimum
password age setting that will disable the users ability to change the
password within that time frame.

HTH,

Cary
Post by Marc
Humm,
This is very strange, why would Microsoft even have this option if it
doesn't work?
Anyone know what Microsoft's best practice is regarding setting up new users
in active directory and wanting the users to choose their own passwords?
Such a powerful server OS but can't do a simple thing like allowing users to
change the password at next logon? There's got to be something I'm missing.
Help?
Users can always change their passwords anytime by using the
ctrl-alt-del
Post by Marc
key combo. Or you could set the maximum password length to a week then
reset
the GPO policy to a longer period after the end of that week.
Unfortunately I've not had any other result with this other than having
the
same results as you report.
Marc
2004-09-22 20:16:39 UTC
Permalink
I took a look at the article you mentioned:
http://support.microsoft.com/?id=309799



But, the Windows Server 2003 doesn't have this GPO setting, it appears it's
only for Windows 2000 server.



This DC is a new setup from factory w/ all defaults. I did check the
default domain GPO and the min and max password ages are: 1 day and 42 days
respectively.



I've tried everything I can think of to no avail. It really seems to me
that out of the box, this should be possible, but I'm thinking that perhaps
it's some small setting that is turned OFF in Server 2003 due to the
secure-by-default idea MS used for 2003.



I thought I was on the right track when I read this:
http://www.jsiinc.com/sube/tip2400/rh2447.htm



But again, this setting wasn't found in Server 2003.



I also thought it was due to restricted anonymous access to an Active
Directory container as found here:

http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/windows2000/techinfo/reskit/en-us/distrib/dsbc_nar_lmxa.asp



But this didn't work either.



So, at this point I'm open for any ideas on how to accomplish the original
task which was to create users and have them set their own password.
Post by Cary Shultz [A.D. MVP]
I think that the missing part is that there is a GPO that disallows users to
change their password until prompted by the system to do so. This could be
the reason that they are not able to change their password. Please take a
http://support.microsoft.com/?id=309799
Another possibility is that, as already kinda mentioned, there is a minimum
password age setting that will disable the users ability to change the
password within that time frame.
HTH,
Cary
Post by Marc
Humm,
This is very strange, why would Microsoft even have this option if it
doesn't work?
Anyone know what Microsoft's best practice is regarding setting up new
users
Post by Marc
in active directory and wanting the users to choose their own passwords?
Such a powerful server OS but can't do a simple thing like allowing users
to
Post by Marc
change the password at next logon? There's got to be something I'm
missing.
Post by Marc
Help?
Users can always change their passwords anytime by using the
ctrl-alt-del
Post by Marc
key combo. Or you could set the maximum password length to a week then
reset
the GPO policy to a longer period after the end of that week.
Unfortunately I've not had any other result with this other than having
the
same results as you report.
CraigTin
2004-09-21 21:13:01 UTC
Permalink
Users can always change their passwords anytime by using the ctrl-alt-del
key combo. Or you could set the maximum password length to a week then reset
the GPO policy to a longer period after the end of that week.

Unfortunately I’ve not had any other result with this other than having the
same results as you report.

Loading...