How can I configure the system to let users change their passwords without logging on to the domain?

How can I configure the system to let users change their passwords without logging on to the domain?

John Savill

September 23, 2000

2 Min Read
ITPro Today
Alamy

If you use a password policy in a Windows 2000 domain and you migrated some or all of the users to Active Directory (AD) with the AD Migration tool, users who attempt to change their passwords as soon as they receive the Password Change Notification message might receive the following error message:

You do not have permission to change your password.


However, users who choose not to change their passwords when the Password Change Notification message appears (by clicking No) are logged on with their old passwords and then can change their passwords.

This system behavior occurs when the Everyone group hasn't been granted the Change Password right on the user object. Users can't change their passwords over the null session connection (anonymous logon relies on the Everyone group to carry out this action) established between the workstation and a domain controller. Instead, an authenticated session is required to change a password (i.e., users must be logged on to change their passwords).

Changing the Permissions in the System

To change the permissions setting for the Everyone group, take the following steps:

  1. Start the AD Users and Computers snap-in (Start, Programs, Administrative Tools, Active Directory Users and Computers).

  2. Select the View menu and enable Advanced Features.

  3. Right-click the container hosting the user object to which you want to grant the Change Password right (e.g., Users), then click Properties.

  4. Select the Security tab. Ensure that the Everyone group is listed in the Name box. If it isn't, click Advanced, then add the Everyone group to the list from the Advanced Access Control Settings dialog box. If the Everyone group is listed, click Advanced.

  5. Click the Everyone group in the list, then click View/Edit to edit the group's permissions. In the Apply Onto box, click User Objects. In the Permissions section, select the Allow check box for "Change Password."

    Click here to view image

  6. Click OK to accept the changes.

Read more about:

Technical Explainer

About the Author

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like