Client unable to change Windows NT or Windows 2000 password

When a Microsoft Exchange Client or Microsoft Outlook user changes the Windows NT or Windows 2000 password either by clicking Change Password in the Enter Password dialog box or on the Tools menu, clicking Options, on the Security tab, clicking Change Settings, and then clicking Password, one of the following error messages is displayed: NOTE: The error messages begin with "The Windows 2000..." when you change a Windows 2000 password.

The client is not logged on to the domain that the password is changed in, or to a trusted domain. Therefore, the client cannot establish a remote procedure call (RPC) connection to the Local Security Authority (LSA) to change the password.

The following clients have this problem:

• Clients that use the NetWare Client software. For more information about how NetWare Clients change passwords, click the following article number to view the article in the Microsoft Knowledge Base:
  148420  (http://support.microsoft.com/kb/148420/ ) Can't change password on Novell client
• Clients that use Macintosh messaging clients. For more information about how Macintosh messaging clients change passwords, click the following article number to view the article in the Microsoft Knowledge Base:
  156182  (http://support.microsoft.com/kb/156182/ ) Changing Windows NT 4.0 password in Microsoft Exchange
• Clients that use Banyan Vines protocol. For more information about Banyan Vines protocol, click the following article number to view the article in the Microsoft Knowledge Base:
  140641  (http://support.microsoft.com/kb/140641/ ) Updated Samsrv.dll supports AppleTalk and Banyan Vines clients
• Clients that log on to an untrusted Windows NT domain or a workgroup.

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
NOTE: Normally, registry entries are not case sensitive. However, these entries are case sensitive. When you add any of these new keys, be sure to match the case exactly.

Add the following registry values to the PDC in a NT Domain or the PDC-Emulator in a Windows 2000 Domain:

1. Start Registry Editor (Regedt32.exe).
2. Under the HKEY_LOCAL_MACHINE subtree, go to the following subkey:
   SYSTEM\CurrentControlSet\Control\LSA
3. If you are using Windows NT, on the Edit menu, click Add Value.
   
   Note If you are using Windows 2000, on the Edit menu, point to New, and then click DWORD Value.
4. Add one of the following values, depending on which protocol is shared between the clients and the PDC:
   NetWareClientSupport
   
   TCPIPClientSupport
   
   VinesClientSupport
   
   AppletalkClientSupport
5. If you are using Windows NT, in the Data Type field, select REG_DWORD, and then click OK.
6. In the DWORD editor, in the Data field, type 1.
7. Click OK. The new value appears.
8. You must restart the PDC for the changes to take effect.

When an Outlook client changes a Windows NT or a Windows 2000 password, the client asks the Exchange Server computer for the name of the PDC in a NT 4.0 domain or the PDC-Emulator in a Windows 2000 domain. The client then establishes an RPC connection with the LSA on the PDC or PDC-Emulator.

To locate the server running the PDC-Emulator role use the NETDOM tool from the Windows Support tools on the Windows 2000 Server CD and execute the following command. Note the server name listed next to the line labeled PDC Role will be the server to get the registry values added.

The LSA, by default, has no endpoint mapped for TCP/IP, IPX/SPX, AppleTalk, or Banyan Vines. It does not have this problem with named pipes. Clients that log on to the same domain as the PDC have no problem making a named pipes connection and changing their passwords.

This registry change mentioned in the "Resolution" section of this article should be made on the server running the PDC-Emulator role in a Windows 2000 Domain. If the Role of the PDC-Emulator moves to another Domain Controller in the Windows 2000 Domain, the registry on the new Domain Controller will need to be updated with the registry change.