Re: Cannot change expired Admin password!

From: Joe (Joe@joe.com)
Date: 01/06/03

• Next message: John Urness: "Re: NC_S_ISLCK"
• Previous message: Todd: "GPO"
• In reply to: Matt Scarborough: "Re: Cannot change expired Admin password!"
• Next in thread: Matt Scarborough: "Re: Cannot change expired Admin password!"
• Reply: Matt Scarborough: "Re: Cannot change expired Admin password!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Joe" <Joe@joe.com>
Date: Mon, 6 Jan 2003 12:36:35 -0500

Unfortunately I cannot logon with the old password. Windows says something
like "you must change your password now, fool!".

I guess I'll have to bite the bullet and call IT. They have an Admin account
with a non-expiring password.

Thanks...

"Matt Scarborough" <vexversa@verizon.net> wrote in message
news:qkli1v0s1kkaehetfvgs44vih53747fbrg@msnews.microsoft.com...
> On Fri, 3 Jan 2003 11:16:50 -0500, Joe wrote
> <OXBt#N0sCHA.2344@TK2MSFTNGP10>
> > I know what the cause is but not the solution.
> >
> > I have a Win2K Pro PC with CIS security template Win2K Gold applied.
This
> > template sets the RestrictAnyonomous=2 and restricts anonymous access to
'No
> > access without explicit anonymous permissions', which prevents use of
the
> > Null account.
> >
> > Of course now the Administrator's account password has expired and
cannot be
> > changed. The error message is 'You do not have permission to change your
> > password.' This is the only Admin account on the PC. All other accounts
are
> > 'Users'.
>
> When a user attempts to change a password *at logon* by choosing "Yes" to
the dialog
> "Your Password expires in x days. Do you want to change your password
now?" the
> displayed error message "You do not have permission to change your
password" is
> somewhat misleading.
>
> By default, any user can change any other user's password with knowledge
of the
> existing password. As an example, when logged on locally as a lesser
privileged user,
> pressing CTRL+ALT+DEL then choosing "Change Password" while supplying the
> Administrator account name and old password will allow a lesser privileged
user to
> change the local Administrator's password when
RequireLogonToChangePassword = 0 (the
> sane default.)
>
> The error message and troubles result from the CIS template settings
>
> [System Access]
> MinimumPasswordLength = 8
> PasswordComplexity = 1
> ClearTextPassword = 0
> RequireLogonToChangePassword = 1
>
> For another example why RequireLogonToChangePassword = 1 is troublesome,
create a new
> user with the standard Users and Passwords snap-in view. After setting the
password,
> switch to advanced view and tick the box "User Must Change Password at
Next Logon".
> Lather Rinse Repeat. You won't be able to logon with that user. This is
one reason
> RequireLogonToChangePassword = 1 was also known as
IncreaseHelpDeskSupportCalls = YES
> in NT 4.0.
>
> If you can log on with the expiring password, choose "No" to "Do you want
to change
> your password now?" that should allow you to logon, then press
CTRL+ALT+DEL, choose
> "Change Password" and supply the expiring password as the "old" password,
and a new
> password that meets complexity requirements.
>
> Matt Scarborough 2003-01-06
>
> On Fri, 3 Jan 2003 17:03:56 -0500, Joe wrote
> <up886P3sCHA.2296@TK2MSFTNGP09>
> > What happened was I unchecked the "Password never expires' for the Admin
> > account, then rebooted (not realizing that the account password was very
> > old).
> >
> > A local user (non-Admin) can see that the Admin account has the "Must
change
> > password at next login' box checked, but of course cannot change it.
> >
> >
> > PS - This PC is not part of any domain and has no Group policies applied
to
> > it. Everything is local.
>

---

• Next message: John Urness: "Re: NC_S_ISLCK"
• Previous message: Todd: "GPO"
• In reply to: Matt Scarborough: "Re: Cannot change expired Admin password!"
• Next in thread: Matt Scarborough: "Re: Cannot change expired Admin password!"
• Reply: Matt Scarborough: "Re: Cannot change expired Admin password!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages XP Logon nightmare ... I am having the exact same error message. ... Logon failure: user account restriction. ... Not only are the other four computers are still able to access the ... (microsoft.public.windowsxp.security_admin) Re: Help - Can only log into an admin account ... some more info on why the logon failed. ... > The only error message I get is that the password is wrong. ... >>> administrator account. ... If I change it back to an Administrator account, ... (microsoft.public.windowsxp.security_admin) Re: XP Pro - Logon help ... Can you logon with an administrative account? ... The standard account lockout period is 5 invalid logon ... attempts in 30 mins. will lock the system for 30 mins., ... (microsoft.public.windowsxp.general) Re: strange user account ... If this user is in a remote site and watch them logon, ... the exact error message is: "The system could not log you on. ... reset password was done on a DC in the same site as the user sits in. ... the account was locked. ... (microsoft.public.windows.server.active_directory) [EC-SA-01.2003] Windows XP "welcome screen" exposes the names of all the members of the l ... logon screen with what is called "Welcome Screen". ... (including the original administrator account, ... Using the "welcome screen" actually disables / ignores the security ... (Bugtraq)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(17)