Re: Cannot change expired Admin password!
From: Matt Scarborough (vexversa@verizon.net)
Date: 01/06/03
- Next message: Max B: "Re: Instant Messenger BLOCK"
- Previous message: Max B: "Re: Logon/Logoff failure in event viewer"
- In reply to: Joe: "Re: Cannot change expired Admin password!"
- Next in thread: Joe: "Re: Cannot change expired Admin password!"
- Reply: Joe: "Re: Cannot change expired Admin password!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Matt Scarborough <vexversa@verizon.net> Date: Mon, 06 Jan 2003 10:32:19 +0000
On Fri, 3 Jan 2003 11:16:50 -0500, Joe wrote
<OXBt#N0sCHA.2344@TK2MSFTNGP10>
> I know what the cause is but not the solution.
>
> I have a Win2K Pro PC with CIS security template Win2K Gold applied. This
> template sets the RestrictAnyonomous=2 and restricts anonymous access to 'No
> access without explicit anonymous permissions', which prevents use of the
> Null account.
>
> Of course now the Administrator's account password has expired and cannot be
> changed. The error message is 'You do not have permission to change your
> password.' This is the only Admin account on the PC. All other accounts are
> 'Users'.
When a user attempts to change a password *at logon* by choosing "Yes" to the dialog
"Your Password expires in x days. Do you want to change your password now?" the
displayed error message "You do not have permission to change your password" is
somewhat misleading.
By default, any user can change any other user's password with knowledge of the
existing password. As an example, when logged on locally as a lesser privileged user,
pressing CTRL+ALT+DEL then choosing "Change Password" while supplying the
Administrator account name and old password will allow a lesser privileged user to
change the local Administrator's password when RequireLogonToChangePassword = 0 (the
sane default.)
The error message and troubles result from the CIS template settings
[System Access]
MinimumPasswordLength = 8
PasswordComplexity = 1
ClearTextPassword = 0
RequireLogonToChangePassword = 1
For another example why RequireLogonToChangePassword = 1 is troublesome, create a new
user with the standard Users and Passwords snap-in view. After setting the password,
switch to advanced view and tick the box "User Must Change Password at Next Logon".
Lather Rinse Repeat. You won't be able to logon with that user. This is one reason
RequireLogonToChangePassword = 1 was also known as IncreaseHelpDeskSupportCalls = YES
in NT 4.0.
If you can log on with the expiring password, choose "No" to "Do you want to change
your password now?" that should allow you to logon, then press CTRL+ALT+DEL, choose
"Change Password" and supply the expiring password as the "old" password, and a new
password that meets complexity requirements.
Matt Scarborough 2003-01-06
On Fri, 3 Jan 2003 17:03:56 -0500, Joe wrote
<up886P3sCHA.2296@TK2MSFTNGP09>
> What happened was I unchecked the "Password never expires' for the Admin
> account, then rebooted (not realizing that the account password was very
> old).
>
> A local user (non-Admin) can see that the Admin account has the "Must change
> password at next login' box checked, but of course cannot change it.
>
>
> PS - This PC is not part of any domain and has no Group policies applied to
> it. Everything is local.
- Next message: Max B: "Re: Instant Messenger BLOCK"
- Previous message: Max B: "Re: Logon/Logoff failure in event viewer"
- In reply to: Joe: "Re: Cannot change expired Admin password!"
- Next in thread: Joe: "Re: Cannot change expired Admin password!"
- Reply: Joe: "Re: Cannot change expired Admin password!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
