NT's SAM doesn't allow on-logon password change
by "Eric Peeters" <eric.peeters(at)worldnet.att.net>
|
Date: |
Wed, 25 Aug 1999 18:45:24 -0500 |
To: |
"Hwg-Servers" <hwg-servers(at)hwg.org> |
|
todo: View
Thread,
Original
|
|
Hello folks,
I'm having a problem that is baffling me and I hope someone can give me a
hand on this one.
I am updating a small network at a company we bought, which involves giving
everyone a new password on the NT network (they had the same for years).
Basically, what I did is set a password expiration at 30 days in the User
Manager. Of course, I made sure that "User cannot change password" is
unchecked (it was previously).
The password expiration deadline is two days away and some have already
tried to change their password. Strangely enough, they can change their
password with the Change Password function on Windows Security, but if one
tries to change his/her password during the logon, the system replies
invariably that the user does not have the right to change his/her password.
This problem occurs both with Domain User and Domain Administrator accounts.
The guy who set up this system a long while ago is unreachable and there is
no documentation of the config changes he made on the server.
I find the following object access failure report in the log :
Object Open:
Object Server: Security Account Manager
Object Type: SAM_USER
Object Name: DOMAINS\Account\Users\00000400
New Handle ID: -
Operation ID: {0,1997080}
Process ID: 2154441984
Primary User Name: SYSTEM
Primary Domain: NT AUTHORITY
Primary Logon ID: (0x0,0x3E7)
Client User Name:
Client Domain:
Client Logon ID: (0x0,0x1E790F)
Accesses ChangePassword (with knowledge of old password)
Privileges
I have tried the following steps so far, all without success :
-Giving Everyone change permission and System full access permission to
/winnt/system32/config ;
-Giving Everyone change permission and System full access permission to the
profiles directory/share ;
-Enabling registry editing tools in the System Policy Editor.
And now, I am clueless. I hope one of you isn't.
Thanks,
Eric Peeters
HWG: hwg-servers mailing list archives,
maintained by Webmasters @ IWA