NT Gatekeeper: Conflicting Password-Change Options

Recently some of my users got the error message You do not have permission to change your password. The only account that was capable of changing their password was the Administrator account. What causes this error message? What must we do to get rid of similar messages in the future?

Windows NT 4.0 displays this error message if both of the following items are selected in the User Manager for Domains utility: User Must Change Password at Next Logon in the user account properties and User must log on in order to change password in the account policies. The administrator can resolve this problem by resetting the user account's password or by clearing the User must log on in order to change password option. By default, NT Server 4.0 doesn't have the User must log on in order to change password option selected.

The User must log on in order to change password option is poorly named. It basically means that users with expired passwords can't log on and that only an administrator can reset their password. If you don't select the option, users can log on with their expired password, but NT immediately forces them to change it before they can continue. A better name for the option would have been Fail authentication if password expired.

Administrators typically use the User Must Change Password at Next Logon option to force users to change their password when they use their account for the first time. This option conflicts with the User must log on in order to change password option because, as I explained above, User must log on in order to change password requires an administrator to reset the password. Consider it a best practice to never combine both options.

TAGS: Security
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish