JSI Tip 3711. Some users can't change their password without logging onto the Windows 2000 domain?

When some users receive the "Password Change Notification" message, they are unable to change their password without first logging on to the domain. When they try to change their password, they receive:

You do not have permission to change your password.

Others users can change their password in response to the "Password Change Notification"message, prior to logging on?

This problem is generally due to the Everyone group not being granted the Change Password right on the user's OU or the Users object.

NOTE: When the Everyone group has the Change Password right, users and computers are able to change their password without first being authenticated. Security is preserved during this null session (anonymous) logon because the old password must be presented.

To resolve the problem:

01. Start the Active Directory Users and Computers snap-in.

02. Select the domain object.

03. On the View menu, check Advanced Features.

04. Right-click the container that hosts the user object to which you wish to grant the Change Password right. This could be the OU or Users. Press Properties.

05. Select the Security tab.

06. If Everyone is NOT listed in the Name box, press Advanced and Add the Everyone group. If Everyone is listed, just press Advanced.

07. In the Access Control Settings for Users, select Everyone and press View/Edit.

08. Select User Objects in the Apply Onto drop-down box.

09. Check the Allow box on the Change Password line.

10. Press OK.