"You do not have permission to change your password" error message
Rory McCaw MVP
COMMUNITY SOLUTIONS CONTENT DISCLAIMER
MICROSOFT CORPORATION AND/OR ITS RESPECTIVE SUPPLIERS MAKE NO REPRESENTATIONS ABOUT THE SUITABILITY, RELIABILITY, OR ACCURACY OF THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN. ALL SUCH INFORMATION AND RELATED GRAPHICS ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS INFORMATION AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, WORKMANLIKE EFFORT, TITLE AND NON-INFRINGEMENT. YOU SPECIFICALLY AGREE THAT IN NO EVENT SHALL MICROSOFT AND/OR ITS SUPPLIERS BE LIABLE FOR ANY DIRECT, INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF USE, DATA OR PROFITS, ARISING OUT OF OR IN ANY WAY CONNECTED WITH THE USE OF OR INABILITY TO USE THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN, WHETHER BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY OR OTHERWISE, EVEN IF MICROSOFT OR ANY OF ITS SUPPLIERS HAS BEEN ADVISED OF THE POSSIBILITY OF DAMAGES.
When a domain user authenticates to a Windows Server 2003 DC with SP1 from an XP Pro-SP1 computer and their password has expired, they receive a message "Your password has expired and must be changed."
When a domain user authenticates to a Windows Server 2003 domain controller with SP1 from a Windows XP Professional-based computer with SP1 and their password has expired, they receive a message "Your password has expired and must be changed." When they try to change their password, they receive the message: You Do Not Have Permission to Change Your Password." This is different from the message "You are required to change your password at first logon" which a user would receive when their user account properties have been set to 'User must change password at next logon'. The error message "Your password has expired and must be changed." is specific to accounts with expired passwords. This problem does not prevent a user with administrative permissions to force a password change for the user or restrict that user from then changing the password once successfully logged on and authenticated to the domain by using the CTRL + ALT + DEL key sequence and clicking 'Change Password' in the Windows Security dialog box.
In a Domain with GPO security restrictions in place, specific group policy settings change with the installation of Windows Server 2003 SP1 and can cause this problem. If you have followed and implemented the recommendations in the Windows Server 2003 Security guide, you may have configured the 'Network Access: Named pipes that can be accessed anonymously' and set this to a blank value. This GPO setting makes changes to the registry key HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes. On a domain controller running Windows Server 2003 without SP1, the default values are COMNAP, COMNODE, SQL\QUERY, SPOOLSS, LLSRPC, EPMAPPER, LOCATOR, TrkWks, TrkSvr but these values change when Windows Server 2003 SP1 is installed to include COMNAP, COMNODE, SQL\QUERY, SPOOLSS, LLSRPC, BROWSER, NETLOGON, Lsarpc, samr.
If your existing GPO setting value is set to blank for the setting 'Network Access: Named pipes that can be accessed anonymously' and Windows Server 2003 SP1 is applied, when you view the value of the registry key or run a RSOP in GPMC, the value will appear blank however when you open the GPO and view the setting, it appears with all of the new Windows Server 2003 default settings: COMNAP, COMNODE, SQL\QUERY, SPOOLSS, LLSRPC, BROWSER, NETLOGON, Lsarpc, samr.
To resolve this issue, open the GPO where the 'Network Access: Named pipes that can be accessed anonymously' setting is configured, double click on the setting and clear the Define this policy in the template check box and click OK. Double click on the 'Network Access: Named pipes that can be accessed anonymously' setting again and enable the Define this policy in the template check box. Leave the new defaults that will be added automatically and click OK. Close the Group Policy Object Editor and run gpupdate /force at the Command Prompt on your domain controllers to force the change or wait 5 minutes for the setting to take effect.
More information on similar error messages with different resolutions and causes can be found in KB316806, KB32881, and KB328817 as well as at in tips 7344 and 7516.
Article ID: 555340 - Last Review: 06/28/2005 12:20:20 - Revision: 1.0
Microsoft Windows Server 2003, Standard Edition (32-bit x86), Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
- kbpubmvp kbpubtypecca kbhowto KB555340