Computer Help Forums: Re: New users cannot change initial password? - Computer Help Forums

Jump to content


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Re: New users cannot change initial password?

#1 Lanwench [MVP - Exchange]

  • Group: Guests

Posted 11 May 2009 - 10:14 AM

Hauke Fath wrote:
> All,
>
> this is definitely an FAQ, it's just that the answers Google provided
> me with don't seem to apply to my problem...
>
> I have a standalone Windows 2003 terminal server here with two dozen
> freshly-created accounts. To make sure people set half decent
> passwords, I ticked "User must change password at next logon".
>
> What happened next is that users were requested to change their
> password, then told
>
> "You do not have permission to change your password."
>
> OTOH, after administrator forces a new password, they can login and
> change their password within the session.
>
> The MS knowledgebase articles that I came across either deal with
> passwords expiring, or older OS versions.
>
> Does anybody have any TS2003 related wisdom to share?
>
> hauke

Can you double check that the users don't also have "user cannot change
password" ticked in their profile properties? I'm setting up my reply to
crosspost to microsoft.public.windows.server.general as your question really
doesn't have anything to do with TS specifically.



#2 Hauke Fath

  • Group: Guests

Posted 12 May 2009 - 04:42 AM

[f'up2 microsoft.public.windows.server.general]

Lanwench [MVP - Exchange]
wrote:

> Hauke Fath wrote:
> > I have a standalone Windows 2003 terminal server here with two dozen
> > freshly-created accounts. To make sure people set half decent
> > passwords, I ticked "User must change password at next logon".
> >
> > What happened next is that users were requested to change their
> > password, then told
> >
> > "You do not have permission to change your password."
> >
> > OTOH, after administrator forces a new password, they can login and
> > change their password within the session.
> >
> > The MS knowledgebase articles that I came across either deal with
> > passwords expiring, or older OS versions.
>
> Can you double check that the users don't also have "user cannot change
> password" ticked in their profile properties?

I checked; they don't (now that would be a lethal combination, wouldn't
it...).

hauke

--
Now without signature.

#3 kj [SBS MVP]

  • Group: Guests

Posted 12 May 2009 - 09:18 AM

What is your password policy for minimum password age? ;-)



Hauke Fath wrote:
> [f'up2 microsoft.public.windows.server.general]
>
> Lanwench [MVP - Exchange]
> wrote:
>
>> Hauke Fath wrote:
>>> I have a standalone Windows 2003 terminal server here with two dozen
>>> freshly-created accounts. To make sure people set half decent
>>> passwords, I ticked "User must change password at next logon".
>>>
>>> What happened next is that users were requested to change their
>>> password, then told
>>>
>>> "You do not have permission to change your password."
>>>
>>> OTOH, after administrator forces a new password, they can login and
>>> change their password within the session.
>>>
>>> The MS knowledgebase articles that I came across either deal with
>>> passwords expiring, or older OS versions.
>>
>> Can you double check that the users don't also have "user cannot
>> change password" ticked in their profile properties?
>
> I checked; they don't (now that would be a lethal combination,
> wouldn't it...).
>
> hauke

--
/kj



#4 Hauke Fath

  • Group: Guests

Posted 12 May 2009 - 10:27 AM

kj [SBS MVP] wrote:

> What is your password policy for minimum password age? ;-)

0 days. :o)

Basically, I stuck with the defaults. Unfortunately, the policy "Allow
users to change password at login dialog" seems to be missing... and I
don't want to baby-sit two dozen users through setting their password -
and making sure they do change an initial password.

hauke



--
Now without signature.

#5 kj [SBS MVP]

  • Group: Guests

Posted 12 May 2009 - 01:35 PM

Hauke Fath wrote:
> kj [SBS MVP] wrote:
>
>> What is your password policy for minimum password age? ;-)
>
> 0 days. :o)
>
> Basically, I stuck with the defaults. Unfortunately, the policy "Allow
> users to change password at login dialog" seems to be missing... and I
> don't want to baby-sit two dozen users through setting their password
> - and making sure they do change an initial password.
>
> hauke

That's a per user object setting not a policy setting. Did you modify any
default security configurations? Are the users in an OU structure or in the
default "users' container?



--
/kj



#6 Hauke Fath

  • Group: Guests

Posted 13 May 2009 - 05:40 AM

kj [SBS MVP] wrote:

> Hauke Fath wrote:
> > Basically, I stuck with the defaults. Unfortunately, the policy "Allow
> > users to change password at login dialog" seems to be missing... and I
> > don't want to baby-sit two dozen users through setting their password
> > - and making sure they do change an initial password.
>
> That's a per user object setting not a policy setting.

Well, as I said, "User cannot change password" is off. And "[Local
Security Settings]::Local Policies::User Rights Assignment" doesn't have
anything related.

What is logged as security event, btw., is "The specified account's
password has expired." Nothing about the failed attempt to set a new
password there.

> Did you modify any default security configurations?

I ran "Administrative Tools::Security Configuration Wizard", yes. I just
reviewed the policy I created, and there's nothing about users and
passwords in it.

> Are the users in an OU structure or in the default "users' container?

They are all local accounts, if that answers your question?

hauke

--
Now without signature.

#7 Hauke Fath

  • Group: Guests

Posted 13 May 2009 - 09:00 AM

Hauke Fath wrote:

> > Did you modify any default security configurations?
>
> I ran "Administrative Tools::Security Configuration Wizard", yes. I just
> reviewed the policy I created, and there's nothing about users and
> passwords in it.

Resolution: In "Local Security Settings::Local Policies::Security
Options", the policy "Accounts: Limit local account use of blank
passwords to console only" was set to "enabled".

The resulting error kind of makes sense, not logging it was less than
helpful. I _thought_ I had tried an account with a pre-set password !=
"", but maybe I didn't.

hauke

--
Now without signature.

#8 kj [SBS MVP]

  • Group: Guests

Posted 13 May 2009 - 09:23 AM

Hauke Fath wrote:
> Hauke Fath wrote:
>
>>> Did you modify any default security configurations?
>>
>> I ran "Administrative Tools::Security Configuration Wizard", yes. I
>> just reviewed the policy I created, and there's nothing about users
>> and passwords in it.
>
> Resolution: In "Local Security Settings::Local Policies::Security
> Options", the policy "Accounts: Limit local account use of blank
> passwords to console only" was set to "enabled".
>
> The resulting error kind of makes sense, not logging it was less than
> helpful. I _thought_ I had tried an account with a pre-set password !=
> "", but maybe I didn't.
>
> hauke

Thanks for posting back your resolution so that others can benefit.

--
/kj



#9 Hauke Fath

  • Group: Guests

Posted 15 May 2009 - 02:41 PM

kj [SBS MVP] wrote:

> Thanks for posting back your resolution so that others can benefit.

Sure - it's the least I can do... this is USENET, after all.

Plus, I may have to comeback with more questions. ;)

hauke

--
Now without signature.


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users