0
I have the issue at one of my customers that some of their AD-accounts are not allowed to change their password via ctrl+alt+del.
The error they get: 'Permission denied'
What I found out about the specific accounts:
- The accounts are set 'cannotChangePassword:$false'
- In the security dialog of their AD-object, the principal 'self' is has no permission to change password
- It looks like it's only administrator accounts that are affected by this issue
What I already tried:
- Set 'cannotChangePassword' to $true and $false again -> This worked for > 2 hours
- Set principal 'self' the permission to change password on user in ADUC -> This worked for >2 hours
- Gave principal 'self' the permission to change password on object 'Domain\System\AdminSDHolder' -> No effect at all
- Passwords are ok in accordance to password policy settings (length, complexity, etc.)
Anyone of you with further ideas?
Check
gpresult
for a policy that prevents them from doing it. What of the things you tried was automatically reversed if any of them? – Seth – 2016-09-21T07:42:55.583See the changes – restless1987 – 2016-09-21T09:11:21.323
Looked up the gpresult-report. Nothing suspicios here. – restless1987 – 2016-09-21T10:15:24.720
What time frame are you referring to by "some time"? – Seth – 2016-09-21T11:02:54.350
The title does not match your question. – Ramhound – 2016-09-21T11:49:05.700
True, fixed the typo – restless1987 – 2016-09-21T12:31:20.640