Reposting to bring in more newsgroups, in the hope that someone will know!
"Michael A. Covington" > wrote in message ...
We have a Windows 2000 roaming user profiles network and we are starting to add some Windows XP client machines. For the most part, everything is going very smoothly.

However, we do have one problem.

When we set up new accounts, they have a default password and are required to change their password immediately.

And if the owner of a new account happens to log in on a XP client rather than a Windows 2000 client, he can't do that. He is prompted for the original password; gives it; is told "You must change your password" or words to that effect; is prompted for a new password; and is told, "You do not have permission to change your password." Frustration!

This is only because he's trying to change his password before his first complete login. If I let him log in (by resetting his password for him), then he can change his password just fine.

Clearly, it's a permission issue. But it's *not* the permissions issues described in:

http://www.mike-tech.com/article.php?gif=win2k&article=165

http://www.jsiinc.com/SUBE/tip2300/rh2367.htm

We have *not* added any restrictions to remote access. Thus, as far as I can tell, this is *not* the problem described in

http://www.der-keiler.de/Newsgroups/microsoft.public.win2000.security/2002-06/2382.html

either.

What else could it be? How can I definitively check that the right permissions exist, and correct them if they need correcting?

Note that new-account-holders using Windows 2000 client machines are unaffected.


Thanks!

What do you have set for "Additional restrictions for anonymous
connections"? If you relax this (RestrictAnonymous) setting does the
behavior change?

Matt Scarborough 2003-05-06

On Sat, 3 May 2003 18:22:35 -0400, Michael A. Covington wrote
>
> Reposting to bring in more newsgroups, in the hope that someone will know!
> "Michael A. Covington" > wrote in
message ...
> We have a Windows 2000 roaming user profiles network and we are starting
to add some Windows XP client machines. For the most part, everything is
going very smoothly.
>
> However, we do have one problem.
>
> When we set up new accounts, they have a default password and are
required to change their password immediately.
>
> And if the owner of a new account happens to log in on a XP client
rather than a Windows 2000 client, he can't do that. He is prompted for the
original password; gives it; is told "You must change your password" or
words to that effect; is prompted for a new password; and is told, "You do
not have permission to change your password." Frustration!
>
> This is only because he's trying to change his password before his first
complete login. If I let him log in (by resetting his password for him),
then he can change his password just fine.
>
> Clearly, it's a permission issue. But it's *not* the permissions issues
described in:
>
> http://www.mike-tech.com/article.php?gif=win2k&article=165
>
> http://www.jsiinc.com/SUBE/tip2300/rh2367.htm
>
> We have *not* added any restrictions to remote access. Thus, as far as
I can tell, this is *not* the problem described in
>
>
http://www.der-keiler.de/Newsgroups/microsoft.public.win2000.security/2002-06/2382.html
>
> either.
>
> What else could it be? How can I definitively check that the right
permissions exist, and correct them if they need correcting?
>
> Note that new-account-holders using Windows 2000 client machines are
unaffected.
>
>
> Thanks!
>
>

> What do you have set for "Additional restrictions for anonymous
> connections"? If you relax this (RestrictAnonymous) setting does the
> behavior change?

It's set to "None" or "Undefined" in all the group policies. In the
Registry, RestrictAnonymous = 0.



>
> Matt Scarborough 2003-05-06
>
> On Sat, 3 May 2003 18:22:35 -0400, Michael A. Covington wrote
> >
> > Reposting to bring in more newsgroups, in the hope that someone will
know!
> > "Michael A. Covington" > wrote in
> message ...
> > We have a Windows 2000 roaming user profiles network and we are
starting
> to add some Windows XP client machines. For the most part, everything is
> going very smoothly.
> >
> > However, we do have one problem.
> >
> > When we set up new accounts, they have a default password and are
> required to change their password immediately.
> >
> > And if the owner of a new account happens to log in on a XP client
> rather than a Windows 2000 client, he can't do that. He is prompted for
the
> original password; gives it; is told "You must change your password" or
> words to that effect; is prompted for a new password; and is told, "You do
> not have permission to change your password." Frustration!
> >
> > This is only because he's trying to change his password before his
first
> complete login. If I let him log in (by resetting his password for him),
> then he can change his password just fine.
> >
> > Clearly, it's a permission issue. But it's *not* the permissions
issues
> described in:
> >
> > http://www.mike-tech.com/article.php?gif=win2k&article=165
> >
> > http://www.jsiinc.com/SUBE/tip2300/rh2367.htm
> >
> > We have *not* added any restrictions to remote access. Thus, as far
as
> I can tell, this is *not* the problem described in
> >
> >
>
http://www.der-keiler.de/Newsgroups/microsoft.public.win2000.security/2002-06/2382.html
> >
> > either.
> >
> > What else could it be? How can I definitively check that the right
> permissions exist, and correct them if they need correcting?
> >
> > Note that new-account-holders using Windows 2000 client machines are
> unaffected.
> >
> >
> > Thanks!
> >
> >
>

Another thing I'm going to pursue is that the domain controller is presently
in "mixed" (NT compatible) rather than "native" mode. I'm going to change
it over in a few days (after our students are finished with exams).


"Michael A. Covington" > wrote in message
...
> > What do you have set for "Additional restrictions for anonymous
> > connections"? If you relax this (RestrictAnonymous) setting does the
> > behavior change?
>
> It's set to "None" or "Undefined" in all the group policies. In the
> Registry, RestrictAnonymous = 0.
>
>
>
> >
> > Matt Scarborough 2003-05-06
> >
> > On Sat, 3 May 2003 18:22:35 -0400, Michael A. Covington wrote
> > >
> > > Reposting to bring in more newsgroups, in the hope that someone will
> know!
> > > "Michael A. Covington" > wrote in
> > message ...
> > > We have a Windows 2000 roaming user profiles network and we are
> starting
> > to add some Windows XP client machines. For the most part, everything
is
> > going very smoothly.
> > >
> > > However, we do have one problem.
> > >
> > > When we set up new accounts, they have a default password and are
> > required to change their password immediately.
> > >
> > > And if the owner of a new account happens to log in on a XP client
> > rather than a Windows 2000 client, he can't do that. He is prompted for
> the
> > original password; gives it; is told "You must change your password" or
> > words to that effect; is prompted for a new password; and is told, "You
do
> > not have permission to change your password." Frustration!
> > >
> > > This is only because he's trying to change his password before his
> first
> > complete login. If I let him log in (by resetting his password for
him),
> > then he can change his password just fine.
> > >
> > > Clearly, it's a permission issue. But it's *not* the permissions
> issues
> > described in:
> > >
> > > http://www.mike-tech.com/article.php?gif=win2k&article=165
> > >
> > > http://www.jsiinc.com/SUBE/tip2300/rh2367.htm
> > >
> > > We have *not* added any restrictions to remote access. Thus, as far
> as
> > I can tell, this is *not* the problem described in
> > >
> > >
> >
>
http://www.der-keiler.de/Newsgroups/microsoft.public.win2000.security/2002-06/2382.html
> > >
> > > either.
> > >
> > > What else could it be? How can I definitively check that the right
> > permissions exist, and correct them if they need correcting?
> > >
> > > Note that new-account-holders using Windows 2000 client machines are
> > unaffected.
> > >
> > >
> > > Thanks!
> > >
> > >
> >
>
>

Hi, I have the same problem. I've tried the articles
described below with out any success. Please keep me
informed if you should find an answer to our problem.

Regards,

Alex Johnsen



>-----Original Message-----
>> What do you have set for "Additional restrictions for
anonymous
>> connections"? If you relax this (RestrictAnonymous)
setting does the
>> behavior change?
>
>It's set to "None" or "Undefined" in all the group
policies. In the
>Registry, RestrictAnonymous = 0.
>
>
>
>>
>> Matt Scarborough 2003-05-06
>>
>> On Sat, 3 May 2003 18:22:35 -0400, Michael A.
Covington wrote
>> >
>> > Reposting to bring in more newsgroups, in the hope
that someone will
>know!
>> > "Michael A. Covington"
> wrote in
>> message ...
>> > We have a Windows 2000 roaming user profiles
network and we are
>starting
>> to add some Windows XP client machines. For the most
part, everything is
>> going very smoothly.
>> >
>> > However, we do have one problem.
>> >
>> > When we set up new accounts, they have a default
password and are
>> required to change their password immediately.
>> >
>> > And if the owner of a new account happens to log
in on a XP client
>> rather than a Windows 2000 client, he can't do that.
He is prompted for
>the
>> original password; gives it; is told "You must change
your password" or
>> words to that effect; is prompted for a new password;
and is told, "You do
>> not have permission to change your password."
Frustration!
>> >
>> > This is only because he's trying to change his
password before his
>first
>> complete login. If I let him log in (by resetting his
password for him),
>> then he can change his password just fine.
>> >
>> > Clearly, it's a permission issue. But it's *not*
the permissions
>issues
>> described in:
>> >
>> > http://www.mike-tech.com/article.php?
gif=win2k&article=165
>> >
>> > http://www.jsiinc.com/SUBE/tip2300/rh2367.htm
>> >
>> > We have *not* added any restrictions to remote
access. Thus, as far
>as
>> I can tell, this is *not* the problem described in
>> >
>> >
>>
>http://www.der-
keiler.de/Newsgroups/microsoft.public.win2000.security/200
2-06/2382.html
>> >
>> > either.
>> >
>> > What else could it be? How can I definitively
check that the right
>> permissions exist, and correct them if they need
correcting?
>> >
>> > Note that new-account-holders using Windows 2000
client machines are
>> unaffected.
>> >
>> >
>> > Thanks!
>> >
>> >
>>
>
>
>.
>

I have exactly same problem. Set Everyone group to have
change password permission doest not help. (it helps
2000, but not xp). Do you have solution yet?

Thanks.

>-----Original Message-----
>> What do you have set for "Additional restrictions for
anonymous
>> connections"? If you relax this (RestrictAnonymous)
setting does the
>> behavior change?
>
>It's set to "None" or "Undefined" in all the group
policies. In the
>Registry, RestrictAnonymous = 0.
>
>
>
>>
>> Matt Scarborough 2003-05-06
>>
>> On Sat, 3 May 2003 18:22:35 -0400, Michael A.
Covington wrote
>> >
>> > Reposting to bring in more newsgroups, in the hope
that someone will
>know!
>> > "Michael A. Covington"
> wrote in
>> message ...
>> > We have a Windows 2000 roaming user profiles
network and we are
>starting
>> to add some Windows XP client machines. For the most
part, everything is
>> going very smoothly.
>> >
>> > However, we do have one problem.
>> >
>> > When we set up new accounts, they have a default
password and are
>> required to change their password immediately.
>> >
>> > And if the owner of a new account happens to log
in on a XP client
>> rather than a Windows 2000 client, he can't do that.
He is prompted for
>the
>> original password; gives it; is told "You must change
your password" or
>> words to that effect; is prompted for a new password;
and is told, "You do
>> not have permission to change your password."
Frustration!
>> >
>> > This is only because he's trying to change his
password before his
>first
>> complete login. If I let him log in (by resetting his
password for him),
>> then he can change his password just fine.
>> >
>> > Clearly, it's a permission issue. But it's *not*
the permissions
>issues
>> described in:
>> >
>> > http://www.mike-tech.com/article.php?
gif=win2k&article=165
>> >
>> > http://www.jsiinc.com/SUBE/tip2300/rh2367.htm
>> >
>> > We have *not* added any restrictions to remote
access. Thus, as far
>as
>> I can tell, this is *not* the problem described in
>> >
>> >
>>
>http://www.der-
keiler.de/Newsgroups/microsoft.public.win2000.security/200
2-06/2382.html
>> >
>> > either.
>> >
>> > What else could it be? How can I definitively
check that the right
>> permissions exist, and correct them if they need
correcting?
>> >
>> > Note that new-account-holders using Windows 2000
client machines are
>> unaffected.
>> >
>> >
>> > Thanks!
>> >
>> >
>>
>
>
>.
>

On Tue, 1 Jul 2003 13:25:00 -0700, Ping Hsieh wrote
>
> I have exactly same problem. Set Everyone group to have
> change password permission doest not help. (it helps
> 2000, but not xp). Do you have solution yet?

First, about Restrict Anonymous.

For the DWORD value
HKLM\System\CurrentControlSet\Control\Lsa\Restrict Anonymous,
as it appears in the Domain Policy on a Windows 2000 DC,

RestrictAnonymous = 0: None, rely on default permissions
RestrictAnonymous = 1: Do not allow enumeration of SAM accounts and shares
RestrictAnonymous = 2: No access without explicit anonymous permissions.

When "RestrictAnonymous = 2," non-authenticated users (null session
connections) no longer have the Everyone Group SID in their access token. So
at RA=2, we need an authenticated user to change passwords when Everyone
Group membership is required to change passwords.

When "User must change password at next logon" is enforced, the user is
forced to change the password without logging on again. So, without logging
on again, and without using a null session (because null session users are
not members of the "Everyone Group") how shall the password be changed?

For XP-SP1 you must apply the Q328817 patch described here under "Set
Additional Restrictions for Anonymous Connections" in the
Windows 2000 Security Hardening Guide at (URLs MAY WRAP)
http://www.microsoft.com/technet/security/prodtech/Windows/Win2kHG.asp
or
<http://www.microsoft.com/downloads/details.aspx?FamilyID=15e83186-a2c8-4c8f-a9d0-a0201f639a56>

Additional discussion of this issue (Windows XP and "User must change
password at next logon" in a Windows 2000 domain) in the Guide to Securing
Microsoft Windows XP
http://www.nsa.gov/snac/winxp/download.htm

There is no KB article available for Q328817. The patch enables the Windows
2000 behavior in Windows XP by allowing the machine account (COMPUTERNAME$)
to apply the password change via SamChangePasswordUser2 (the COMPUTERNAME$
account is not an null session logon and can supply the old and new
password.) You need to call PSS for Q328817. Searching reveals several other
XP-SP1 Msv1_0.dll fixes floating about in the Knowledge Base. Each are
specific fixes that may fix or break other stuff as well. Call PSS.

One simpler answer may be to set the DC at RestrictAnonymous = 1 when you
have Windows XP clients in a Windows 2000 AD Domain. But permission
inheritance, previously misapplied security templates, and improper DNS
records when NetBIOS over TCP/IP is disabled, will foil even that simple
answer.

Matt Scarborough 2003-07-05







> >-----Original Message-----
> >> What do you have set for "Additional restrictions for
> anonymous
> >> connections"? If you relax this (RestrictAnonymous)
> setting does the
> >> behavior change?
> >
> >It's set to "None" or "Undefined" in all the group
> policies. In the
> >Registry, RestrictAnonymous = 0.
> >
> >
> >
> >>
> >> Matt Scarborough 2003-05-06
> >>
> >> On Sat, 3 May 2003 18:22:35 -0400, Michael A.
> Covington wrote
> >> >
> >> > Reposting to bring in more newsgroups, in the hope
> that someone will
> >know!
> >> > "Michael A. Covington"
> > wrote in
> >> message ...
> >> > We have a Windows 2000 roaming user profiles
> network and we are
> >starting
> >> to add some Windows XP client machines. For the most
> part, everything is
> >> going very smoothly.
> >> >
> >> > However, we do have one problem.
> >> >
> >> > When we set up new accounts, they have a default
> password and are
> >> required to change their password immediately.
> >> >
> >> > And if the owner of a new account happens to log
> in on a XP client
> >> rather than a Windows 2000 client, he can't do that.
> He is prompted for
> >the
> >> original password; gives it; is told "You must change
> your password" or
> >> words to that effect; is prompted for a new password;
> and is told, "You do
> >> not have permission to change your password."
> Frustration!
> >> >
> >> > This is only because he's trying to change his
> password before his
> >first
> >> complete login. If I let him log in (by resetting his
> password for him),
> >> then he can change his password just fine.
> >> >
> >> > Clearly, it's a permission issue. But it's *not*
> the permissions
> >issues
> >> described in:
> >> >
> >> > http://www.mike-tech.com/article.php?
> gif=win2k&article=165
> >> >
> >> > http://www.jsiinc.com/SUBE/tip2300/rh2367.htm
> >> >
> >> > We have *not* added any restrictions to remote
> access. Thus, as far
> >as
> >> I can tell, this is *not* the problem described in
> >> >
> >> >
> >>
> >http://www.der-
> keiler.de/Newsgroups/microsoft.public.win2000.security/200
> 2-06/2382.html
> >> >
> >> > either.
> >> >
> >> > What else could it be? How can I definitively
> check that the right
> >> permissions exist, and correct them if they need
> correcting?
> >> >
> >> > Note that new-account-holders using Windows 2000
> client machines are
> >> unaffected.
> >> >
> >> >
> >> > Thanks!
> >> >
> >> >
> >>
> >
> >
> >.
> >