Re: Cannot change expired Admin password!
From: Joe (Joe@joe.com)
Date: 01/07/03
- Next message: oily timbers: "Access to C Drive"
- Previous message: Karl Levinson [x y] mvp: "Re: VBS file"
- In reply to: Matt Scarborough: "Re: Cannot change expired Admin password!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Joe" <Joe@joe.com> Date: Tue, 7 Jan 2003 11:15:57 -0500
The locked out account is the default Administrator account, just renamed.
The IT group has an account in the Administrator group with a non-expiring
password.
Does that change my options?
"Matt Scarborough" <vexversa@verizon.net> wrote in message
news:v2mj1vsrr2mt8r3jhnrra1ucjvd8flmqsl@msnews.microsoft.com...
> On Mon, 6 Jan 2003 12:36:35 -0500, Joe wrote
> <OoBHjoatCHA.2036@TK2MSFTNGP12>
> > Unfortunately I cannot logon with the old password. Windows says
something
> > like "you must change your password now, fool!".
>
> <ouch> So the account with the expiring password is not the Administrator
account as
> you stated. It may be a member of the Administrator's group. But that is a
different
> school of fish.
>
> It is not possible to lock out the Administrator account from a console
logon with
> RequireLogonToChangePassword = 1.
>
> > I guess I'll have to bite the bullet and call IT. They have an Admin
account
> > with a non-expiring password.
>
> To clarify, they'll need the Administrator's (RID 500) account and
password to logon
> if all of the user's passwords are stale (older than MaximumPasswordAge =
90
> from the CIS template) and have been flagged with "User Must Change
Password at Next
> Logon"
>
> Did I mention...
> (RequireLogonToChangePassword = 1) == (IncreaseHelpDeskSupportCalls = YES)
>
> Matt Scarborough 2002-01-06
>
>
>
>
> > Thanks...
> >
> >
> > "Matt Scarborough" <vexversa@verizon.net> wrote in message
> > news:qkli1v0s1kkaehetfvgs44vih53747fbrg@msnews.microsoft.com...
> > > On Fri, 3 Jan 2003 11:16:50 -0500, Joe wrote
> > > <OXBt#N0sCHA.2344@TK2MSFTNGP10>
> > > > I know what the cause is but not the solution.
> > > >
> > > > I have a Win2K Pro PC with CIS security template Win2K Gold applied.
> > This
> > > > template sets the RestrictAnyonomous=2 and restricts anonymous
access to
> > 'No
> > > > access without explicit anonymous permissions', which prevents use
of
> > the
> > > > Null account.
> > > >
> > > > Of course now the Administrator's account password has expired and
> > cannot be
> > > > changed. The error message is 'You do not have permission to change
your
> > > > password.' This is the only Admin account on the PC. All other
accounts
> > are
> > > > 'Users'.
> > >
> > > When a user attempts to change a password *at logon* by choosing "Yes"
to
> > the dialog
> > > "Your Password expires in x days. Do you want to change your password
> > now?" the
> > > displayed error message "You do not have permission to change your
> > password" is
> > > somewhat misleading.
> > >
> > > By default, any user can change any other user's password with
knowledge
> > of the
> > > existing password. As an example, when logged on locally as a lesser
> > privileged user,
> > > pressing CTRL+ALT+DEL then choosing "Change Password" while supplying
the
> > > Administrator account name and old password will allow a lesser
privileged
> > user to
> > > change the local Administrator's password when
> > RequireLogonToChangePassword = 0 (the
> > > sane default.)
> > >
> > > The error message and troubles result from the CIS template settings
> > >
> > > [System Access]
> > > MinimumPasswordLength = 8
> > > PasswordComplexity = 1
> > > ClearTextPassword = 0
> > > RequireLogonToChangePassword = 1
> > >
> > > For another example why RequireLogonToChangePassword = 1 is
troublesome,
> > create a new
> > > user with the standard Users and Passwords snap-in view. After setting
the
> > password,
> > > switch to advanced view and tick the box "User Must Change Password at
> > Next Logon".
> > > Lather Rinse Repeat. You won't be able to logon with that user. This
is
> > one reason
> > > RequireLogonToChangePassword = 1 was also known as
> > IncreaseHelpDeskSupportCalls = YES
> > > in NT 4.0.
> > >
> > > If you can log on with the expiring password, choose "No" to "Do you
want
> > to change
> > > your password now?" that should allow you to logon, then press
> > CTRL+ALT+DEL, choose
> > > "Change Password" and supply the expiring password as the "old"
password,
> > and a new
> > > password that meets complexity requirements.
> > >
> > > Matt Scarborough 2003-01-06
> > >
> > > On Fri, 3 Jan 2003 17:03:56 -0500, Joe wrote
> > > <up886P3sCHA.2296@TK2MSFTNGP09>
> > > > What happened was I unchecked the "Password never expires' for the
Admin
> > > > account, then rebooted (not realizing that the account password was
very
> > > > old).
> > > >
> > > > A local user (non-Admin) can see that the Admin account has the
"Must
> > change
> > > > password at next login' box checked, but of course cannot change it.
> > > >
> > > >
> > > > PS - This PC is not part of any domain and has no Group policies
applied
> > to
> > > > it. Everything is local.
> > >
> >
>
- Next message: oily timbers: "Access to C Drive"
- Previous message: Karl Levinson [x y] mvp: "Re: VBS file"
- In reply to: Matt Scarborough: "Re: Cannot change expired Admin password!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
