Symptoms
You have a Windows Server 2008 R2-based computer that is not a member of a domain. An administrator of the server creates a new user who is also an administrator, sets a password for the new user, and selects the option to require a password change at the next logon. When the new user connects to the server through Remote Desktop Protocol (RDP) for the first logon, he or she is prompted to enter a new password. When the user types the new password and tries to continue, he or she receives the following error message:
The password is not changed, and the user receives the same error message when he or she tries to log on again.
Not enough storage is available to process this command.
The password is not changed, and the user receives the same error message when he or she tries to log on again.
Cause
This issue occurs because the RPC runtime receives an error.
Specifically, the scenario that occurs is as follows:
The password change request process is put into an anonymous access token by Local Security Authority (LSA). This occurs because the password is not valid and the user is therefore not authenticated. Using this token, the password change request is passed to the local Security Accounts Manager (SAM) through RPC. (RPC is used because the request might also be sent remotely at this point.) The RPC runtime reads a system policy to determine the correct configuration. (The configuration is "Server2003NegotiateDisable" in key "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc.")
In this scenario, the RPC runtime receives error 5 "ACCESS_DENIED" for this request and maps this to RPC error 15 "RPC_S_OUT_OF_MEMORY."
Specifically, the scenario that occurs is as follows:
The password change request process is put into an anonymous access token by Local Security Authority (LSA). This occurs because the password is not valid and the user is therefore not authenticated. Using this token, the password change request is passed to the local Security Accounts Manager (SAM) through RPC. (RPC is used because the request might also be sent remotely at this point.) The RPC runtime reads a system policy to determine the correct configuration. (The configuration is "Server2003NegotiateDisable" in key "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc.")
In this scenario, the RPC runtime receives error 5 "ACCESS_DENIED" for this request and maps this to RPC error 15 "RPC_S_OUT_OF_MEMORY."
Resolution
To resolve this issue, use one of the following methods:
- Use the facility to remotely change the password of a user to set the password before he or she connects through RDS.
- Change the registry permissions on the following registry key to enable read access for ANONYMOUS LOGON, and then inherit that down the registry tree: HKEY_LOCAL_MACHINE\SOFTWARE\Policies