NT's SAM doesn't allow on-logon password change

Hello folks,

I'm having a problem that is baffling me and I hope someone can give me a
hand on this one.

I am updating a small network at a company we bought, which involves giving
everyone a new password on the NT network (they had the same for years).
Basically, what I did is set a password expiration at 30 days in the User
Manager. Of course, I made sure that "User cannot change password" is
unchecked (it was previously).

The password expiration deadline is two days away and some have already
tried to change their password. Strangely enough, they can change their
password with the Change Password function on Windows Security, but if one
tries to change his/her password during the logon, the system replies
invariably that the user does not have the right to change his/her password.
This problem occurs both with Domain User and Domain Administrator accounts.
The guy who set up this system a long while ago is unreachable and there is
no documentation of the config changes he made on the server.

I find the following object access failure report in the log :

Object Open:
 	Object Server:	Security Account Manager
 	Object Type:	SAM_USER
 	Object Name:	DOMAINS\Account\Users\00000400
 	New Handle ID:	-
 	Operation ID:	{0,1997080}
 	Process ID:	2154441984
 	Primary User Name:	SYSTEM
 	Primary Domain:	NT AUTHORITY
 	Primary Logon ID:	(0x0,0x3E7)
 	Client User Name:
 	Client Domain:
 	Client Logon ID:	(0x0,0x1E790F)
 	Accesses		ChangePassword (with knowledge of old password)

 	Privileges

I have tried the following steps so far, all without success :

-Giving Everyone change permission and System full access permission to
/winnt/system32/config ;
-Giving Everyone change permission and System full access permission to the
profiles directory/share ;
-Enabling registry editing tools in the System Policy Editor.

And now, I am clueless. I hope one of you isn't.

Thanks,

Eric Peeters

HWG: hwg-servers mailing list archives, maintained by Webmasters @ IWA