User cannot change password option is automatically getting unchecked while giving domain admin rights

Similar Messages

• How to set "User cannot change password" on W2K accounts.

  Hi gurus,
  I need to set (from create user form) "User cannot change password" on W2K accounts.
  I was expected that some value of userAccountControl attribute on AD could do the job, but I realized that it is not so (look also to http://forum.java.sun.com/thread.jspa?threadID=593193&messageID=3108889).
  Thanks for any suggestion.

  Yeah thats right, I have implemented the same using nTSecurityDescriptor attribute

• Migrating from server 2003R2 to 2008R2 User cannot change password box unchecks after being checked.

  After Migrating the domain controller from server 2003 R2 to 2008 R2 the check box for users cannot change password wont stay checked. This is happening to ALL users and no they are not a member of any Protected Groups. I have searched for a solution
  for months but cant not find.
  And now after migrating the exchange 2003 to 2010 I have to keep applying the inherited permissions every hour until a user finally makes an active sync.
  Now having more AD issues, cant remove users from Exchange 2010...And again have to go to the DC and applying the inherited permissions, then I can remove the user.
  I really need help with this...
  John

  Hi,
  Did you use the migration tools to do the user migration?
  Permissions on a user that is migrated from an Active Directory domain are reset to default values during migration.
  I think this is by design:
  http://technet.microsoft.com/en-us/library/cc974359(v=ws.10).aspx
  Regards.
  Vivian Wang

• 2012 R2 RD Session Host Domain Users Cannot Change Password

  I set up a Windows 2012 R2 Session Host as per
  http://support.microsoft.com/kb/2833839 and joined it to the domain.  Now, users are unable to change their password. When they log in to the RDSH and "ctrl-del-end", they are given the change password dialog, but they are told that
  their password "doesn't meet complexity requirements" even if it does.  I suspect the issue is related to the fact that there is no "session collection" per se and that the "connection broker" role is not installed. 
  Is there any way around this?  The end game would be to have them log into this RDSH and be able to change their password to conform with the domain password policy
  PaulK

  Hi Paulk,
  Did you mean that all users cannot change passwords? Based on my experience, this issue was not related ro the RD connection broker role.
  Please check the password policy in group policy of the domain to see if any password policy caused this issue:
  Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy
  For more information, you can refer to the link below:
  https://technet.microsoft.com/en-us/library/hh994572(v=ws.10).aspx
  Best regards,
  Susie
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• User cannot change password

  Users can log on fine to the 10.4 server (new install) from 9.2 clients with their current passwords, but if they try to change their password they get the following error:
  "unknown user, incorrect password or log on is disabled"
  BTW, logins are not disabled obviously
  ideas? Thanks, Tom

  Hi,
  just for your information: Re: Change password on the first use - does not work

• Users Cannot Change Passwords on a Server 2012 R2 RDS Farm

  Hello I have a Server 2012 R2 RDS Farm consisting of 1 server that has connection broker and gateway configured and 4 RDS Session Hosts. The works great I even have a separate remote app farm to distribute the apps to the servers, my main issue is passwords
  and the lack of the EU ability to change these, listed below are my symptoms.
  Users password has expired denied logon instantly with no ability to change password.
  User tries to change password whilst in 30 day warning period using ctrl alt end the user is advised the password does not meet complexity requirements I have checked this and they do meet them.
  Expired passwords can be changed via the RDWeb site however this is not an option for us.
  Chris

  Hi,
  Firstly, based on my knowledge, remote users may have to change their passwords before expired. If not, they have to use OWA or logon on locally to change their passwords.
  Regarding the issue, please let us know if the following policies are enabled in your domain.
  Enforce password history
  Minimum password age
  Also, does a local domain user have the same issue?
  Thanks.
  Jeremy Wu
  TechNet Community Support

• Lion Server: Users Cannot Change Password

  I'm not sure how long this has been the case, as we don't have a ton of users. We recently added a new user, and directed her to our website to change her password (the only service she needs is email), and she gets a window that clearly is not being presented correctly from the server. When you look at the screen, you see that the window title and fields for the user to enter their current name and password list what looks like programming references rather than user-friendly titles.
  Even if you enter information and click the button, it gives you the error about the password server not being reached.
  Has anyone seen similar issues to this?
  Thanks in advance!

  isolate it further.
  does this occur for this user only? (test other users)
  add a new user to see if its related only to newer users
  verify your dns, what are the results of the following form terminal: sudo changeip -checkhostname"
  Jeff

• Exchange 2010 user cannot change password from OWA

  My users are not able to change their own email password from owa. But we can change the passwords from ECP or from the server without any issue. What could be the issue ?
  Biju Rajan

  Check the regional date and time is set for user OWA...Follow the below steps
  On the Client Access Server (CAS), click Start > Run and type
  regedit.exe and click OK.
  Navigate to HKLM\SYSTEM\CurrentControlSet\Services\MSExchange OWA.
  Right click the MSExchange OWA key and click New >
  DWord (32-bit).
  The DWORD value name is ChangeExpiredPasswordEnabled and set the value to
  1.
  Note: The values accepted are 1 (or any non-zero value) for "Enabled" or 0 or blank / not present for "Disabled"
  After you configure this DWORD value, you must reset IIS. The recommended method to reset IIS is to use
  IISReset /noforce from a command prompt.
  Ref:http://blogs.technet.com/b/exchange/archive/2010/10/06/3411240.aspx
  Exchange Queries

• Windows 8.1 cannot change password in Windows 2003 domain level domain

  On several installations of windows 8.1 enterprise, users cannot change passwords by using <ctrl> + <al> + <del> keys and choosing change password. 
  The error is: "The security database on the server does not have a computer account for this workstation trust relationship"
  Fresh Windows 8.1 enterprise installs with no patches to fully patched windows 8.1 enterprise workstations have the problem.  Backed out patches one by one and tested password change without success.  Tried various dell laptops, tablets, and workstations
  but same issue.  Tried VMware guest workstation with windows 8.1 enterprise.  The domain functional level is 2003 with a mixture of Windows 2008 R2 DC's and Windows 2003 DC's.
  The add/remove from domain did not help.  What troubleshooting steps should I take from this point?  Is this related to secure channel failures?  Note: did not find event log entries for the failures in the DC's nor on the workstation. 
  Perhaps I did not search  for the proper entry on the DC's.

  Hi,
  Please find below several possible cause of error “The security database on the server does
  not have a computer account for this workstation trust relationship”
  Secure channel is broken (Can fix by rejoin problematic client to domain)
  AD replication issue. The computer account exists on one domain controller but not others.
  Duplicated SPN (seems not possible)
  So, to narrow down the issue, you need to make sure the AD replication is working fine. Please run command
  repadmin /showrepl * on a DC, then post the result here.
  After that, please run
  set l on a problematic client, then post the result here.
  Moreover, please check on system event log and check if there have any related error of the issue.
  Thanks.

• ISE 1.2 Guest portal user cannot change their passwords

  I have a WLC 5508(version 7.6) and a server installed  the ISE (version 1.2.1.198)，Now we configured the CWA，Use guest portal as an employee and guest login url，We can use the manually create internal user and password successfully logged in, and we set up allow guest users to change password in Multi-Portal, but the user can not change the password in the guest portal ,I suspect the change password option on the Guest  Portal actually works? Can anyone tell me how to change their own username password in the guest portal ?

  Requiring Guests to Change Password
  You can allow or require guest users to change their password after their initial account credentials are created by the sponsor. If guest users change their passwords, sponsors cannot provide guests with their login credentials if they are lost. The sponsor must create a new guest account.
  You can either allow guests to change their passwords, or you can require that they do it at expiration and at first login. To require internal users using a guest portal to change their password upon their next login, choose Administration > Identity Management > Identities > Users . Select the specific internal user from the Network Access Users list and enable the change password check box.
  Before You Begin
  Create a Guest portal or modify the DefaultGuestPortal. This setting is specific to each Guest portal.
  Step 1 Choose Administration > Web Portal Management > Settings > Guest > Multi-Portal Configuration.
  Step 2 Check the Guest portal to update and click Edit .
  Step 3 Click the Operations tab.
  Step 4 Check either or both options:
  Allow guest users to change password
  Require guest users to change password at expiration and first login
  Step 5 Click Save .

• TMG 2010 publishing Exchange 2010 OWA cannot change password if user must change password at first logon is set

  Hi,
   I have an odd issue whereby if I set "user must change password" on an AD account, the end user cannot logon, they're simply taken back to the OWA login page as if their password is incorrect.
  My setup is as follows:
  outer TMG -- uses a listener for email.contoso.com and is configured for no authentication.This uses a publishing rule to publish the inner TMG server. This server is not a domain member.
  inner TMG - uses a listener for email.contoso.com and is configured for NLTM\kerberos negotiation with forms authentication (Windows Active Directory). This server is a domain member and use a publishing rule to publish the internal CAS. Allow users to change
  password is selected in the publishing rules.
  Exchange 2010 SP1 - uses integrated windows and basic authentication. Has the appropriate registry key configured to allow users to change their AD password on first logon.
  I've registered an snp for "http/email.contoso.com mailserver-dc1", all SSL certificates being used are valid and my configuration used to allow users to login and change their password with "user must change password on first login"
  set in AD.
  If I launch a web browser on an internal server and point it to email.contoso.com I'm immediately presented with a generic Windows authentication request (similar to what's seen in ADFS) rather than the standard OWA page. No matter what I do, I cannot login
  and change my password using the correct URL. However if I point my browser at
  http://192.168.4.10/owa I'm prompted to login and I can change my password using the sam credentials.
  The only recent changes made are:
  - Disabling SSL 3.0 and enabling TLS  (http://www.isaserver.org/articles-tutorials/configuration-security/improving-ssl-security-forefront-threat-management-gateway-tmg-2010-published-web-sites.html)
  - Replacing the TMG listener certificates so that they now use SHA2 rather than SHA2 (certificates are trusted on each TMG server)
  Looking on the outer TMG and the DC logs I can see schannel errors which I believe are related to the problem. TMG monitoring also shows "Failed connection attempt: 1907 The user'spassword must be changed before logging on for the first time"
  I've checked that my inner TMG and DC are using the same certificate for server authentication and gone through this guide:
  http://blogs.technet.com/b/keithab/archive/2012/02/29/setting-up-and-troubleshooting-ldaps-authentication-in-forefront-tmg-2010.aspx
  If I try to use ldp.exe on the inner TMG, I get the error in the pic below
  Thanks
  IT Support/Everything

  Hi,
  You could try to analyze the TMG tracing and try the troubleshoot steps in the blog below.
  TMG 2010 – FBA, troubleshooting the change password feature 
  http://blogs.technet.com/b/isablog/archive/2012/05/07/tmg-2010-fba-troubleshooting-the-change-password-feature.aspx
  Best Regards,
  Joyce

• User cannot change expired password at logon

  Hi
  I've got 4 Fujitsu laptop with Windows 7 business SP1 x64 (Fujitsu setup). When the domain password expired, users cannot change their password at logon. Also, they can change password in their opened session before it expire (CTRL+ALT+DEL ==>
  change password).
  The change password at logon windows is buggy : It only display one field to put password in, the confirmation field does not display.
  When user valid is change, Windows display error "wrong username or password ". Only way to unlock this situation is to reset user password in ADUC and never let expire.
  I seen no sofware or driver wich could interfe.
  Domain controler (only one) is Windows server 2012 standard.
  Has somebody ever seen this type of problem ?

  Hi,
  Can you post a screenshot for this situation?
  Sometimes, the third party credential provider would lead to some issue like this, I suggest you check the
   current credential provider via the following path:
  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData\x\LastLoggedOnProvider
  You should compare the result with the values in the following path:
  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\credential providers
  If the current value is third party credential provider, try to disable it:
  To disable the provider add a REG_DWORD value "Disabled"=1 to that provider’s CLSID subkey.
  The provider will be disabled on the next session creation (sessions are created when you log off, switch users, or reboot.
  If you have any feedback on our support, please click
  here
  Alex Zhao
  TechNet Community Support

• After joining computer to the windows doamin i cannot change password for Mac for the domain user

  After joining computer to the windows doamin i cannot change password for Mac for the domain user

  Hi,
  Did this problem occures after installed Windows 8.1 Update 1? Here is another thread that had similar problem. Also I don't think this problem relate with Domain. Please refer to the solution of the thread below for reference, If there is any
  progress, please let us know.
  http://social.technet.microsoft.com/Forums/en-US/08993680-b6f5-4e80-b031-d32fec97d682/not-able-to-right-click-on-tiles-after-81-update?forum=w8itproge
  Roger Lu
  TechNet Community Support

• RSOP: Interactive logon: Prompt user to change password before expiration

  Hi,
  I am trying to implement a GPO so that users are prompted to change their password 5 days before it expires. I have done this via -
  Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Enabled
  Interactive Logon: Prompt user to change password before expiration
  Despite doing the above the GPO does not seem to be taking effect. I have run RSOP on my machine and a few users machines and can see that there is a red circle with an X next to
  Interactive Logon: Prompt user to change password before expiration.
  Below is my winlogon.log file but I am not really sure what I am supposed to be looking for. Can anyone help?
  Make a local copy of \\**************.co.uk\sysvol\**************.co.uk\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
  GPLinkSite GPO_INFO_FLAG_BACKGROUND )
  Make a local copy of \\**************.co.uk\sysvol\**************.co.uk\Policies\{91EDC47D-AACF-4DFE-B044-5D29500CECBE}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
  GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
  Make a local copy of \\**************.co.uk\SysVol\**************.co.uk\Policies\{DDE2DDB7-9802-415B-819E-1ADA496DC3E6}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
  GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
  Make a local copy of \\**************.co.uk\sysvol\**************.co.uk\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
  GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
  Make a local copy of \\**************.co.uk\SysVol\**************.co.uk\Policies\{6422C1A4-D958-4F4B-A8AA-EBACC567BD19}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
  GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
  No template is defined in GPO \\**************.co.uk\SysVol\**************.co.uk\Policies\{43F654AA-56D5-4F2C-B357-1AFEE03D37F2}\Machine.
  Process GP template gpt00000.inf.
  This is not the last GPO.
  08 March 2015 23:06:35
  Copy undo values to the merged policy.
  ----Un-initialize configuration engine...
  Process GP template gpt00001.dom.
  This is not the last GPO.
  08 March 2015 23:06:36
  ----Un-initialize configuration engine...
  Process GP template gpt00002.dom.
  This is not the last GPO.
  08 March 2015 23:06:36
  ----Un-initialize configuration engine...
  Process GP template gpt00003.dom.
  This is not the last GPO.
  08 March 2015 23:06:36
  ----Un-initialize configuration engine...
  Process GP template gpt00004.inf.
  08 March 2015 23:06:36
  ----Configuration engine was initialized successfully.----
  ----Reading Configuration Template info...
  ----Configure User Rights...
  Configure S-1-5-32-544.
  Configure S-1-5-21-778002760-1239436532-1307212239-1002.
  Configure S-1-5-21-778002760-1239436532-1307212239-1016.
  Configure S-1-5-21-778002760-1239436532-1307212239-4078.
  Configure S-1-5-21-778002760-1239436532-1307212239-512.
  Configure S-1-5-21-778002760-1239436532-1307212239-500.
  Configure S-1-5-21-778002760-1239436532-1307212239-513.
  User Rights configuration was completed successfully.
  ----Configure Group Membership...
  Configure **************\Local Admins for Users.
  old memberof tattoo list: *S-1-5-32-555,*S-1-5-32-544,
  object already member of Administrators.
  object already member of Remote Desktop Users.
  new memberof tattoo list: *S-1-5-32-555,*S-1-5-32-544,
  Group Membership configuration was completed successfully.
  ----Configure Security Policy...
  Configure password information.
  Configure account force logoff information.
  System Access configuration was completed successfully.
  Configure machine\software\microsoft\windows nt\currentversion\winlogon\passwordexpirywarning.
  Configure machine\software\microsoft\windows\currentversion\policies\system\enableinstallerdetection.
  Configuration of Registry Values was completed successfully.
  Audit/Log configuration was completed successfully.
  ----Configure available attachment engines...
  Configuration of attachment engines was completed successfully.
  ----Un-initialize configuration engine...
  this is the last GPO.
  Make a local copy of \\**************.co.uk\sysvol\**************.co.uk\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
  GPLinkSite GPO_INFO_FLAG_BACKGROUND )
  Make a local copy of \\**************.co.uk\sysvol\**************.co.uk\Policies\{91EDC47D-AACF-4DFE-B044-5D29500CECBE}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
  GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
  Make a local copy of \\**************.co.uk\SysVol\**************.co.uk\Policies\{DDE2DDB7-9802-415B-819E-1ADA496DC3E6}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
  GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
  Make a local copy of \\**************.co.uk\sysvol\**************.co.uk\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
  GPLinkDomain GPO_INFO_FLAG_BACKGROUND )
  Make a local copy of \\**************.co.uk\SysVol\**************.co.uk\Policies\{6422C1A4-D958-4F4B-A8AA-EBACC567BD19}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
  GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )
  No template is defined in GPO \\**************.co.uk\SysVol\**************.co.uk\Policies\{43F654AA-56D5-4F2C-B357-1AFEE03D37F2}\Machine.
  Process GP template gpt00000.inf.
  This is not the last GPO.
  09 March 2015 16:26:51
  Copy undo values to the merged policy.
  ----Un-initialize configuration engine...
  Process GP template gpt00001.dom.
  This is not the last GPO.
  09 March 2015 16:26:51
  ----Un-initialize configuration engine...
  Process GP template gpt00002.dom.
  This is not the last GPO.
  09 March 2015 16:26:51
  ----Un-initialize configuration engine...
  Process GP template gpt00003.dom.
  This is not the last GPO.
  09 March 2015 16:26:51
  ----Un-initialize configuration engine...
  Process GP template gpt00004.inf.
  09 March 2015 16:26:51
  ----Configuration engine was initialized successfully.----
  ----Reading Configuration Template info...
  ----Configure User Rights...
  Configure S-1-5-32-544.
  Configure S-1-5-21-778002760-1239436532-1307212239-1002.
  Configure S-1-5-21-778002760-1239436532-1307212239-1016.
  Configure S-1-5-21-778002760-1239436532-1307212239-4078.
  Configure S-1-5-21-778002760-1239436532-1307212239-512.
  Configure S-1-5-21-778002760-1239436532-1307212239-500.
  Configure S-1-5-21-778002760-1239436532-1307212239-513.
  User Rights configuration was completed successfully.
  ----Configure Group Membership...
  Configure **************\Local Admins for Users.
  old memberof tattoo list: *S-1-5-32-555,*S-1-5-32-544,
  object already member of Administrators.
  object already member of Remote Desktop Users.
  new memberof tattoo list: *S-1-5-32-555,*S-1-5-32-544,
  Group Membership configuration was completed successfully.
  ----Configure Security Policy...
  Configure password information.
  Configure account force logoff information.
  System Access configuration was completed successfully.
  Configure machine\software\microsoft\windows nt\currentversion\winlogon\passwordexpirywarning.
  Configure machine\software\microsoft\windows\currentversion\policies\system\enableinstallerdetection.
  Configuration of Registry Values was completed successfully.
  Audit/Log configuration was completed successfully.
  ----Configure available attachment engines...
  Configuration of attachment engines was completed successfully.
  ----Un-initialize configuration engine...
  this is the last GPO.
  Jeet S

  ******UPDATE******
  I think I have managed to get this working. I changed the source of the policy to a different GPO. I then did the following -
  From a command prompt run gpupdate (without the force parameter)
  Ran rsop.msc and checked the policy and this time there was no red circle with an X
  Have done the same on a few users machines and it appears to apply successfully. I say this because when you go into the properties for the policy you see the following -
  The policy XYZ was correctly applied
  Just have to wait and see if it actually does what it says on the can.
  Jeet S

• Windows 2008 Terminal Server "user must change password at next logon" problem with Windows 7 client.

  Hi,
  I have a fully patched Windows 2008 SP2 Terminal Server and a fully patched Windows 7 client.
  I have logged into the Windows 2008 SP2 Terminal Server server with a test account via RDC before.
  When I try to log in via RDC to the 2008 TS with a test account which has been marked with the setting "User must change password at next logon" I get the RDC message "You must change your password before logging on the first time.  For assistance, contact your system administrator or technical support."  I need to force the user to change their password once it has been issued, any ideas on how this can be done?
  Thanks,
  Dan

  This does not resolve my issue all the way. I'm having the same problem; When i'm "deploying" users, i always want the users to set their own passwords. Ok, so I then set the auth mode to "RDP Security layer". It seemed to work fine, and it does for that
  special purpose.
  Just like Daniel, my clients are connecting to our terminal server from several/different "customer-domains" So, they can't logon locally(on their local computer) and change their password, it has to be done THROUGH the terminal server.
  But if I turn on RDP Security Layer, users can't use remoteapp through tsgw they only get: "Your Remote Desktop Connection Failed because the remote computer cannot be authenticated" Any ideas?
  Also, our terminal servers is round robin based in a farm. So users connect to: tsfarm.domain.com(yes, public a-record which resolves to two internal adresses) This is because, we're using a wilcard *.domain.com as SSL certificate.
  But, when i'm using this, our clients sometimes get double auth when they login. I only get the double auth when tsfarm.domain.com resolves to server A, but the session broker wants the user to be on server B.(load balancing)
  This does not occur when SSL is enforced, any ideas?