I can now report that putting the server in native mode has absolutely no
effect on this!

"Michael A. Covington" > wrote in message
...
> Another thing I'm going to pursue is that the domain controller is
presently
> in "mixed" (NT compatible) rather than "native" mode. I'm going to change
> it over in a few days (after our students are finished with exams).
>
>
> "Michael A. Covington" > wrote in message
> ...
> > > What do you have set for "Additional restrictions for anonymous
> > > connections"? If you relax this (RestrictAnonymous) setting does the
> > > behavior change?
> >
> > It's set to "None" or "Undefined" in all the group policies. In the
> > Registry, RestrictAnonymous = 0.
> >
> >
> >
> > >
> > > Matt Scarborough 2003-05-06
> > >
> > > On Sat, 3 May 2003 18:22:35 -0400, Michael A. Covington wrote
> > > >
> > > > Reposting to bring in more newsgroups, in the hope that someone will
> > know!
> > > > "Michael A. Covington" > wrote in
> > > message ...
> > > > We have a Windows 2000 roaming user profiles network and we are
> > starting
> > > to add some Windows XP client machines. For the most part, everything
> is
> > > going very smoothly.
> > > >
> > > > However, we do have one problem.
> > > >
> > > > When we set up new accounts, they have a default password and are
> > > required to change their password immediately.
> > > >
> > > > And if the owner of a new account happens to log in on a XP client
> > > rather than a Windows 2000 client, he can't do that. He is prompted
for
> > the
> > > original password; gives it; is told "You must change your password"
or
> > > words to that effect; is prompted for a new password; and is told,
"You
> do
> > > not have permission to change your password." Frustration!
> > > >
> > > > This is only because he's trying to change his password before his
> > first
> > > complete login. If I let him log in (by resetting his password for
> him),
> > > then he can change his password just fine.
> > > >
> > > > Clearly, it's a permission issue. But it's *not* the permissions
> > issues
> > > described in:
> > > >
> > > > http://www.mike-tech.com/article.php?gif=win2k&article=165
> > > >
> > > > http://www.jsiinc.com/SUBE/tip2300/rh2367.htm
> > > >
> > > > We have *not* added any restrictions to remote access. Thus, as
far
> > as
> > > I can tell, this is *not* the problem described in
> > > >
> > > >
> > >
> >
>
http://www.der-keiler.de/Newsgroups/microsoft.public.win2000.security/2002-06/2382.html
> > > >
> > > > either.
> > > >
> > > > What else could it be? How can I definitively check that the
right
> > > permissions exist, and correct them if they need correcting?
> > > >
> > > > Note that new-account-holders using Windows 2000 client machines
are
> > > unaffected.
> > > >
> > > >
> > > > Thanks!
> > > >
> > > >
> > >
> >
> >
>
>

Do you have any kind of "security guide" applied to the Windows 2000 DC? I
presume the RestrictAnonymous setting you mention below is on the DC? That's
the one that matters here.

--
This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send email directly to this alias. This alias is for newsgroup
purposes only.


"Michael A. Covington" > wrote in message
...
> I can now report that putting the server in native mode has absolutely no
> effect on this!
>
> "Michael A. Covington" > wrote in message
> ...
> > Another thing I'm going to pursue is that the domain controller is
> presently
> > in "mixed" (NT compatible) rather than "native" mode. I'm going to
change
> > it over in a few days (after our students are finished with exams).
> >
> >
> > "Michael A. Covington" > wrote in message
> > ...
> > > > What do you have set for "Additional restrictions for anonymous
> > > > connections"? If you relax this (RestrictAnonymous) setting does
the
> > > > behavior change?
> > >
> > > It's set to "None" or "Undefined" in all the group policies. In the
> > > Registry, RestrictAnonymous = 0.
> > >
> > >
> > >
> > > >
> > > > Matt Scarborough 2003-05-06
> > > >
> > > > On Sat, 3 May 2003 18:22:35 -0400, Michael A. Covington wrote
> > > > >
> > > > > Reposting to bring in more newsgroups, in the hope that someone
will
> > > know!
> > > > > "Michael A. Covington" > wrote
in
> > > > message ...
> > > > > We have a Windows 2000 roaming user profiles network and we are
> > > starting
> > > > to add some Windows XP client machines. For the most part,
everything
> > is
> > > > going very smoothly.
> > > > >
> > > > > However, we do have one problem.
> > > > >
> > > > > When we set up new accounts, they have a default password and
are
> > > > required to change their password immediately.
> > > > >
> > > > > And if the owner of a new account happens to log in on a XP
client
> > > > rather than a Windows 2000 client, he can't do that. He is prompted
> for
> > > the
> > > > original password; gives it; is told "You must change your password"
> or
> > > > words to that effect; is prompted for a new password; and is told,
> "You
> > do
> > > > not have permission to change your password." Frustration!
> > > > >
> > > > > This is only because he's trying to change his password before
his
> > > first
> > > > complete login. If I let him log in (by resetting his password for
> > him),
> > > > then he can change his password just fine.
> > > > >
> > > > > Clearly, it's a permission issue. But it's *not* the
permissions
> > > issues
> > > > described in:
> > > > >
> > > > > http://www.mike-tech.com/article.php?gif=win2k&article=165
> > > > >
> > > > > http://www.jsiinc.com/SUBE/tip2300/rh2367.htm
> > > > >
> > > > > We have *not* added any restrictions to remote access. Thus, as
> far
> > > as
> > > > I can tell, this is *not* the problem described in
> > > > >
> > > > >
> > > >
> > >
> >
>
http://www.der-keiler.de/Newsgroups/microsoft.public.win2000.security/2002-06/2382.html
> > > > >
> > > > > either.
> > > > >
> > > > > What else could it be? How can I definitively check that the
> right
> > > > permissions exist, and correct them if they need correcting?
> > > > >
> > > > > Note that new-account-holders using Windows 2000 client machines
> are
> > > > unaffected.
> > > > >
> > > > >
> > > > > Thanks!
> > > > >
> > > > >
> > > >
> > >
> > >
> >
> >
>
>

"Jesper M. Johansson [MSFT]" > wrote in
message ...
> Do you have any kind of "security guide" applied to the Windows 2000 DC? I
> presume the RestrictAnonymous setting you mention below is on the DC?
That's
> the one that matters here.

As best I can determine, RestrictAnonymous is *not* set. That's why this is
such a puzzle.

>
> --
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> Please do not send email directly to this alias. This alias is for
newsgroup
> purposes only.
>
>
> "Michael A. Covington" > wrote in message
> ...
> > I can now report that putting the server in native mode has absolutely
no
> > effect on this!
> >
> > "Michael A. Covington" > wrote in message
> > ...
> > > Another thing I'm going to pursue is that the domain controller is
> > presently
> > > in "mixed" (NT compatible) rather than "native" mode. I'm going to
> change
> > > it over in a few days (after our students are finished with exams).
> > >
> > >
> > > "Michael A. Covington" > wrote in message
> > > ...
> > > > > What do you have set for "Additional restrictions for anonymous
> > > > > connections"? If you relax this (RestrictAnonymous) setting does
> the
> > > > > behavior change?
> > > >
> > > > It's set to "None" or "Undefined" in all the group policies. In the
> > > > Registry, RestrictAnonymous = 0.
> > > >
> > > >
> > > >
> > > > >
> > > > > Matt Scarborough 2003-05-06
> > > > >
> > > > > On Sat, 3 May 2003 18:22:35 -0400, Michael A. Covington wrote
> > > > > >
> > > > > > Reposting to bring in more newsgroups, in the hope that someone
> will
> > > > know!
> > > > > > "Michael A. Covington" >
wrote
> in
> > > > > message ...
> > > > > > We have a Windows 2000 roaming user profiles network and we
are
> > > > starting
> > > > > to add some Windows XP client machines. For the most part,
> everything
> > > is
> > > > > going very smoothly.
> > > > > >
> > > > > > However, we do have one problem.
> > > > > >
> > > > > > When we set up new accounts, they have a default password and
> are
> > > > > required to change their password immediately.
> > > > > >
> > > > > > And if the owner of a new account happens to log in on a XP
> client
> > > > > rather than a Windows 2000 client, he can't do that. He is
prompted
> > for
> > > > the
> > > > > original password; gives it; is told "You must change your
password"
> > or
> > > > > words to that effect; is prompted for a new password; and is told,
> > "You
> > > do
> > > > > not have permission to change your password." Frustration!
> > > > > >
> > > > > > This is only because he's trying to change his password before
> his
> > > > first
> > > > > complete login. If I let him log in (by resetting his password
for
> > > him),
> > > > > then he can change his password just fine.
> > > > > >
> > > > > > Clearly, it's a permission issue. But it's *not* the
> permissions
> > > > issues
> > > > > described in:
> > > > > >
> > > > > > http://www.mike-tech.com/article.php?gif=win2k&article=165
> > > > > >
> > > > > > http://www.jsiinc.com/SUBE/tip2300/rh2367.htm
> > > > > >
> > > > > > We have *not* added any restrictions to remote access. Thus,
as
> > far
> > > > as
> > > > > I can tell, this is *not* the problem described in
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
http://www.der-keiler.de/Newsgroups/microsoft.public.win2000.security/2002-06/2382.html
> > > > > >
> > > > > > either.
> > > > > >
> > > > > > What else could it be? How can I definitively check that the
> > right
> > > > > permissions exist, and correct them if they need correcting?
> > > > > >
> > > > > > Note that new-account-holders using Windows 2000 client
machines
> > are
> > > > > unaffected.
> > > > > >
> > > > > >
> > > > > > Thanks!
> > > > > >
> > > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

"Jesper M. Johansson [MSFT]" > wrote in
message ...
> Do you have any kind of "security guide" applied to the Windows 2000 DC? I
> presume the RestrictAnonymous setting you mention below is on the DC?
That's
> the one that matters here.

Just to rule out mistakes, how can I find out the resultant policy that is
actually applied to anonymous user sessions? Thanks.

Actually, I've decided to give up. The reason is that for security reasons
I need to have RestrictAnonymous set higher than 0. Thus, instead of not
working for mysterious reasons, password changing prior to first successful
login will, in the future, on my system, not work by design.

When we create a new user, we used a script that -- until now -- set the
account to require an immediate password change. We're no longer doing
that. Instead we're generating a hideous-looking unique password at time of
account creation, and the user can change it, or not, as he wishes.

--
Michael A. Covington, Associate Director
Artificial Intelligence Center / The University of Georgia / Athens, GA
30602-7415 U.S.A.
http://www.ai.uga.edu/~mc http://www.CovingtonInnovations.com <><
"Michael A. Covington" > wrote in message
...
> "Jesper M. Johansson [MSFT]" > wrote in
> message ...
> > Do you have any kind of "security guide" applied to the Windows 2000 DC?
I
> > presume the RestrictAnonymous setting you mention below is on the DC?
> That's
> > the one that matters here.
>
> Just to rule out mistakes, how can I find out the resultant policy that is
> actually applied to anonymous user sessions? Thanks.
>
>

On Mon, 19 May 2003 22:05:47 -0400, Michael A. Covington wrote
>
> I can now report that putting the server in native mode has absolutely no
> effect on this!

I would enforce this and be not surprised.

[System Access]
RequireLogonToChangePassword = 0

Matt Scarborough 2003-05-21


> "Michael A. Covington" > wrote in message
> ...
> > Another thing I'm going to pursue is that the domain controller is
> presently
> > in "mixed" (NT compatible) rather than "native" mode. I'm going to
change
> > it over in a few days (after our students are finished with exams).
> >
> >
> > "Michael A. Covington" > wrote in message
> > ...
> > > > What do you have set for "Additional restrictions for anonymous
> > > > connections"? If you relax this (RestrictAnonymous) setting does
the
> > > > behavior change?
> > >
> > > It's set to "None" or "Undefined" in all the group policies. In the
> > > Registry, RestrictAnonymous = 0.
> > >
> > >
> > >
> > > >
> > > > Matt Scarborough 2003-05-06
> > > >
> > > > On Sat, 3 May 2003 18:22:35 -0400, Michael A. Covington wrote
> > > > >
> > > > > Reposting to bring in more newsgroups, in the hope that someone
will
> > > know!
> > > > > "Michael A. Covington" > wrote
in
> > > > message ...
> > > > > We have a Windows 2000 roaming user profiles network and we are
> > > starting
> > > > to add some Windows XP client machines. For the most part,
everything
> > is
> > > > going very smoothly.
> > > > >
> > > > > However, we do have one problem.
> > > > >
> > > > > When we set up new accounts, they have a default password and
are
> > > > required to change their password immediately.
> > > > >
> > > > > And if the owner of a new account happens to log in on a XP
client
> > > > rather than a Windows 2000 client, he can't do that. He is prompted
> for
> > > the
> > > > original password; gives it; is told "You must change your password"
> or
> > > > words to that effect; is prompted for a new password; and is told,
> "You
> > do
> > > > not have permission to change your password." Frustration!
> > > > >
> > > > > This is only because he's trying to change his password before
his
> > > first
> > > > complete login. If I let him log in (by resetting his password for
> > him),
> > > > then he can change his password just fine.
> > > > >
> > > > > Clearly, it's a permission issue. But it's *not* the
permissions
> > > issues
> > > > described in:
> > > > >
> > > > > http://www.mike-tech.com/article.php?gif=win2k&article=165
> > > > >
> > > > > http://www.jsiinc.com/SUBE/tip2300/rh2367.htm
> > > > >
> > > > > We have *not* added any restrictions to remote access. Thus, as
> far
> > > as
> > > > I can tell, this is *not* the problem described in
> > > > >
> > > > >
> > > >
> > >
> >
>
http://www.der-keiler.de/Newsgroups/microsoft.public.win2000.security/2002-06/2382.html
> > > > >
> > > > > either.
> > > > >
> > > > > What else could it be? How can I definitively check that the
> right
> > > > permissions exist, and correct them if they need correcting?
> > > > >
> > > > > Note that new-account-holders using Windows 2000 client machines
> are
> > > > unaffected.
> > > > >
> > > > >
> > > > > Thanks!
> > > > >
> > > > >
> > > >
> > >
> > >
> >
> >
>

I am struggling with the same problem.

I have clearly set the permissions for unauthenticated users to 2 (No access
rights). Is that the cause?

If it is, too bad. But how come Windows 2000 and Windows XP behave
differently in this area?

--

Sven Aelterman
IT
e-globalcom.net


"Jesper M. Johansson [MSFT]" > wrote in
message ...
> Do you have any kind of "security guide" applied to the Windows 2000 DC? I
> presume the RestrictAnonymous setting you mention below is on the DC?
That's
> the one that matters here.
>
> --
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> Please do not send email directly to this alias. This alias is for
newsgroup
> purposes only.
>
>
> "Michael A. Covington" > wrote in message
> ...
> > I can now report that putting the server in native mode has absolutely
no
> > effect on this!
> >
> > "Michael A. Covington" > wrote in message
> > ...
> > > Another thing I'm going to pursue is that the domain controller is
> > presently
> > > in "mixed" (NT compatible) rather than "native" mode. I'm going to
> change
> > > it over in a few days (after our students are finished with exams).
> > >
> > >
> > > "Michael A. Covington" > wrote in message
> > > ...
> > > > > What do you have set for "Additional restrictions for anonymous
> > > > > connections"? If you relax this (RestrictAnonymous) setting does
> the
> > > > > behavior change?
> > > >
> > > > It's set to "None" or "Undefined" in all the group policies. In the
> > > > Registry, RestrictAnonymous = 0.
> > > >
> > > >
> > > >
> > > > >
> > > > > Matt Scarborough 2003-05-06
> > > > >
> > > > > On Sat, 3 May 2003 18:22:35 -0400, Michael A. Covington wrote
> > > > > >
> > > > > > Reposting to bring in more newsgroups, in the hope that someone
> will
> > > > know!
> > > > > > "Michael A. Covington" >
wrote
> in
> > > > > message ...
> > > > > > We have a Windows 2000 roaming user profiles network and we
are
> > > > starting
> > > > > to add some Windows XP client machines. For the most part,
> everything
> > > is
> > > > > going very smoothly.
> > > > > >
> > > > > > However, we do have one problem.
> > > > > >
> > > > > > When we set up new accounts, they have a default password and
> are
> > > > > required to change their password immediately.
> > > > > >
> > > > > > And if the owner of a new account happens to log in on a XP
> client
> > > > > rather than a Windows 2000 client, he can't do that. He is
prompted
> > for
> > > > the
> > > > > original password; gives it; is told "You must change your
password"
> > or
> > > > > words to that effect; is prompted for a new password; and is told,
> > "You
> > > do
> > > > > not have permission to change your password." Frustration!
> > > > > >
> > > > > > This is only because he's trying to change his password before
> his
> > > > first
> > > > > complete login. If I let him log in (by resetting his password
for
> > > him),
> > > > > then he can change his password just fine.
> > > > > >
> > > > > > Clearly, it's a permission issue. But it's *not* the
> permissions
> > > > issues
> > > > > described in:
> > > > > >
> > > > > > http://www.mike-tech.com/article.php?gif=win2k&article=165
> > > > > >
> > > > > > http://www.jsiinc.com/SUBE/tip2300/rh2367.htm
> > > > > >
> > > > > > We have *not* added any restrictions to remote access. Thus,
as
> > far
> > > > as
> > > > > I can tell, this is *not* the problem described in
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
http://www.der-keiler.de/Newsgroups/microsoft.public.win2000.security/2002-06/2382.html
> > > > > >
> > > > > > either.
> > > > > >
> > > > > > What else could it be? How can I definitively check that the
> > right
> > > > > permissions exist, and correct them if they need correcting?
> > > > > >
> > > > > > Note that new-account-holders using Windows 2000 client
machines
> > are
> > > > > unaffected.
> > > > > >
> > > > > >
> > > > > > Thanks!
> > > > > >
> > > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

On Tue, 27 May 2003 18:32:11 +0200, Sven Aelterman wrote
>
> I am struggling with the same problem.
>
> I have clearly set the permissions for unauthenticated users to 2 (No
access
> rights). Is that the cause?
>
> If it is, too bad. But how come Windows 2000 and Windows XP behave
> differently in this area?

IIRC, Windows XP uses a different API to change the password than that used
by Windows 2000 and earlier NTx when "User must change password at next
logon" is enforced.

Consider allowing explicit access to the Everyone group to change passwords,
or changing RestrictAnonymous to 1. In addition to, or in spite of, other
workarounds and settings, this may or may not always work.

Rarely is enough information gathered to solve this issue completely.

Matt Scarborough 2003-05-31

> IT
> e-globalcom.net
>
>
> "Jesper M. Johansson [MSFT]" > wrote in
> message ...
> > Do you have any kind of "security guide" applied to the Windows 2000 DC?
I
> > presume the RestrictAnonymous setting you mention below is on the DC?
> That's
> > the one that matters here.
> >
> > --
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> > Please do not send email directly to this alias. This alias is for
> newsgroup
> > purposes only.
> >
> >
> > "Michael A. Covington" > wrote in
message
> > ...
> > > I can now report that putting the server in native mode has absolutely
> no
> > > effect on this!
> > >
> > > "Michael A. Covington" > wrote in message
> > > ...
> > > > Another thing I'm going to pursue is that the domain controller is
> > > presently
> > > > in "mixed" (NT compatible) rather than "native" mode. I'm going to
> > change
> > > > it over in a few days (after our students are finished with exams).
> > > >
> > > >
> > > > "Michael A. Covington" > wrote in message
> > > > ...
> > > > > > What do you have set for "Additional restrictions for anonymous
> > > > > > connections"? If you relax this (RestrictAnonymous) setting
does
> > the
> > > > > > behavior change?
> > > > >
> > > > > It's set to "None" or "Undefined" in all the group policies. In
the
> > > > > Registry, RestrictAnonymous = 0.
> > > > >
> > > > >
> > > > >
> > > > > >
> > > > > > Matt Scarborough 2003-05-06
> > > > > >
> > > > > > On Sat, 3 May 2003 18:22:35 -0400, Michael A. Covington wrote
> > > > > > >
> > > > > > > Reposting to bring in more newsgroups, in the hope that
someone
> > will
> > > > > know!
> > > > > > > "Michael A. Covington" >
> wrote
> > in
> > > > > > message ...
> > > > > > > We have a Windows 2000 roaming user profiles network and we
> are
> > > > > starting
> > > > > > to add some Windows XP client machines. For the most part,
> > everything
> > > > is
> > > > > > going very smoothly.
> > > > > > >
> > > > > > > However, we do have one problem.
> > > > > > >
> > > > > > > When we set up new accounts, they have a default password
and
> > are
> > > > > > required to change their password immediately.
> > > > > > >
> > > > > > > And if the owner of a new account happens to log in on a XP
> > client
> > > > > > rather than a Windows 2000 client, he can't do that. He is
> prompted
> > > for
> > > > > the
> > > > > > original password; gives it; is told "You must change your
> password"
> > > or
> > > > > > words to that effect; is prompted for a new password; and is
told,
> > > "You
> > > > do
> > > > > > not have permission to change your password." Frustration!
> > > > > > >
> > > > > > > This is only because he's trying to change his password
before
> > his
> > > > > first
> > > > > > complete login. If I let him log in (by resetting his password
> for
> > > > him),
> > > > > > then he can change his password just fine.
> > > > > > >
> > > > > > > Clearly, it's a permission issue. But it's *not* the
> > permissions
> > > > > issues
> > > > > > described in:
> > > > > > >
> > > > > > > http://www.mike-tech.com/article.php?gif=win2k&article=165
> > > > > > >
> > > > > > > http://www.jsiinc.com/SUBE/tip2300/rh2367.htm
> > > > > > >
> > > > > > > We have *not* added any restrictions to remote access.
Thus,
> as
> > > far
> > > > > as
> > > > > > I can tell, this is *not* the problem described in
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
http://www.der-keiler.de/Newsgroups/microsoft.public.win2000.security/2002-06/2382.html
> > > > > > >
> > > > > > > either.
> > > > > > >
> > > > > > > What else could it be? How can I definitively check that
the
> > > right
> > > > > > permissions exist, and correct them if they need correcting?
> > > > > > >
> > > > > > > Note that new-account-holders using Windows 2000 client
> machines
> > > are
> > > > > > unaffected.
> > > > > > >
> > > > > > >
> > > > > > > Thanks!
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>

Hi Matt,

I considered setting the RestrictAnonymous to 1, but I am unsure of the
security implications.

--

Sven Aelterman
IT
e-globalcom.net


"Matt Scarborough" > wrote in message
rosoft.com...
> On Tue, 27 May 2003 18:32:11 +0200, Sven Aelterman wrote
> >
> > I am struggling with the same problem.
> >
> > I have clearly set the permissions for unauthenticated users to 2 (No
> access
> > rights). Is that the cause?
> >
> > If it is, too bad. But how come Windows 2000 and Windows XP behave
> > differently in this area?
>
> IIRC, Windows XP uses a different API to change the password than that
used
> by Windows 2000 and earlier NTx when "User must change password at next
> logon" is enforced.
>
> Consider allowing explicit access to the Everyone group to change
passwords,
> or changing RestrictAnonymous to 1. In addition to, or in spite of, other
> workarounds and settings, this may or may not always work.
>
> Rarely is enough information gathered to solve this issue completely.
>
> Matt Scarborough 2003-05-31
>
> > IT
> > e-globalcom.net
> >
> >
> > "Jesper M. Johansson [MSFT]" > wrote in
> > message ...
> > > Do you have any kind of "security guide" applied to the Windows 2000
DC?
> I
> > > presume the RestrictAnonymous setting you mention below is on the DC?
> > That's
> > > the one that matters here.
> > >
> > > --
> > > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> > > Please do not send email directly to this alias. This alias is for
> > newsgroup
> > > purposes only.
> > >
> > >
> > > "Michael A. Covington" > wrote in
> message
> > > ...
> > > > I can now report that putting the server in native mode has
absolutely
> > no
> > > > effect on this!
> > > >
> > > > "Michael A. Covington" > wrote in message
> > > > ...
> > > > > Another thing I'm going to pursue is that the domain controller is
> > > > presently
> > > > > in "mixed" (NT compatible) rather than "native" mode. I'm going
to
> > > change
> > > > > it over in a few days (after our students are finished with
exams).
> > > > >
> > > > >
> > > > > "Michael A. Covington" > wrote in
message
> > > > > ...
> > > > > > > What do you have set for "Additional restrictions for
anonymous
> > > > > > > connections"? If you relax this (RestrictAnonymous) setting
> does
> > > the
> > > > > > > behavior change?
> > > > > >
> > > > > > It's set to "None" or "Undefined" in all the group policies. In
> the
> > > > > > Registry, RestrictAnonymous = 0.
> > > > > >
> > > > > >
> > > > > >
> > > > > > >
> > > > > > > Matt Scarborough 2003-05-06
> > > > > > >
> > > > > > > On Sat, 3 May 2003 18:22:35 -0400, Michael A. Covington wrote
> > > > > > > >
> > > > > > > > Reposting to bring in more newsgroups, in the hope that
> someone
> > > will
> > > > > > know!
> > > > > > > > "Michael A. Covington" >
> > wrote
> > > in
> > > > > > > message ...
> > > > > > > > We have a Windows 2000 roaming user profiles network and
we
> > are
> > > > > > starting
> > > > > > > to add some Windows XP client machines. For the most part,
> > > everything
> > > > > is
> > > > > > > going very smoothly.
> > > > > > > >
> > > > > > > > However, we do have one problem.
> > > > > > > >
> > > > > > > > When we set up new accounts, they have a default password
> and
> > > are
> > > > > > > required to change their password immediately.
> > > > > > > >
> > > > > > > > And if the owner of a new account happens to log in on a
XP
> > > client
> > > > > > > rather than a Windows 2000 client, he can't do that. He is
> > prompted
> > > > for
> > > > > > the
> > > > > > > original password; gives it; is told "You must change your
> > password"
> > > > or
> > > > > > > words to that effect; is prompted for a new password; and is
> told,
> > > > "You
> > > > > do
> > > > > > > not have permission to change your password." Frustration!
> > > > > > > >
> > > > > > > > This is only because he's trying to change his password
> before
> > > his
> > > > > > first
> > > > > > > complete login. If I let him log in (by resetting his
password
> > for
> > > > > him),
> > > > > > > then he can change his password just fine.
> > > > > > > >
> > > > > > > > Clearly, it's a permission issue. But it's *not* the
> > > permissions
> > > > > > issues
> > > > > > > described in:
> > > > > > > >
> > > > > > > > http://www.mike-tech.com/article.php?gif=win2k&article=165
> > > > > > > >
> > > > > > > > http://www.jsiinc.com/SUBE/tip2300/rh2367.htm
> > > > > > > >
> > > > > > > > We have *not* added any restrictions to remote access.
> Thus,
> > as
> > > > far
> > > > > > as
> > > > > > > I can tell, this is *not* the problem described in
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
http://www.der-keiler.de/Newsgroups/microsoft.public.win2000.security/2002-06/2382.html
> > > > > > > >
> > > > > > > > either.
> > > > > > > >
> > > > > > > > What else could it be? How can I definitively check that
> the
> > > > right
> > > > > > > permissions exist, and correct them if they need correcting?
> > > > > > > >
> > > > > > > > Note that new-account-holders using Windows 2000 client
> > machines
> > > > are
> > > > > > > unaffected.
> > > > > > > >
> > > > > > > >
> > > > > > > > Thanks!
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
>

On Mon, 2 Jun 2003 11:28:02 +0200, Sven Aelterman wrote
>
> Hi Matt,
>
> I considered setting the RestrictAnonymous to 1, but I am unsure of the
> security implications.

See "Set Additional Restrictions for Anonymous Connections" in the Windows
2000 Security Hardening Guide at (URLs MAY WRAP)
http://www.microsoft.com/technet/security/prodtech/Windows/Win2kHG.asp
or
<http://www.microsoft.com/downloads/details.aspx?FamilyID=15e83186-a2c8-4c8f-a9d0-a0201f639a56>
or a discussion of this issue (Windows XP and "User must change password at
next logon" in a Windows 2000 domain) in the Guide to Securing Microsoft
Windows XP
http://www.nsa.gov/snac/winxp/download.htm

Matt Scarborough 2003-06-03