Skip to main content

"You do not have permission to change your password"

I haven’t posted anything in a while, sorry about that. I’ll try to post more often. :-)

We had a call recently regarding users changing their expired password whilst logging on to a computer attached to another domain. Unfortunately or fortunately, depending on which way you look at it, almost all of our clients are Windows XP, so our initial response to these sort of queries is to ask the Local IT Administrator to fully patch the client experiencing the problem. Taking an XP client to SP3 usually solves most of the problems listed on TechNet for this particular error.

Unfortunately, patching didn’t work in this instance, and we weren’t sure why this was happening, so we logged a call with Premier Support. One of the articles we had missed in our initial investigations was highlighted to us by Microsoft - http://support.microsoft.com/kb/555340/en-gb

The article explained that we needed to reverse a change that was made on our Domain Controllers by the application of Server 2003 Service Pack 1 that had cleared the list of Pipes configured on the “Network Access: Named pipes that can be accessed anonymously” property in our Default Domain Controllers Policy. The article explains that we should enable the new defaults introduced in Windows Server 2003 SP1 (COMNAP, COMNODE, SQL\QUERY, SPOOLSS, LLSRPC, BROWSER, NETLOGON, Lsarpc, samr) for that property to restore the ability for users logging on to a computer from another domain to change their password when it has expired.

The reason this happens is because an expired password prompt on a client appears before a user has actually logged on. To change the password at this point, a computer from another domain has to open a null session with a domain controller in the domain of the user, using an Anonymous connection to those named pipes that were removed with the installation of SP1.

You may ask, why I’m posting about this when it’s already detailed in the TechNet article above. Not entirely happy that we would enable anonymous access to all of the Named Pipes listed in the article, we asked Microsoft to identify specifically what Pipes we needed to enable to resolve the issue regarding changing expired passwords from computers on other domains. They came back to us with only two Pipes that needed to be enabled, LSARPC and SAMR.

These Named Pipes that allowed null sessions, have specific vulnerabilities and exploits that exist, hence the reason for their removal by Microsoft. In the end we decided not to make the change and migrate the affected computers to the users domain, but i thought it would be interesting to share that you didn’t need to allow anonymous access to all the named pipes detailed in the article above, if you need to make this work, you can now do it with as little risk as possible.

Comments

Popular posts from this blog

Convert Linked Mailboxes to User Mailboxes in Bulk

My organisation has gone through a massive migration project to unify Active Directories and Exchange organisations. As a result of these migrations a lot of mailbox migrations have resulted in a lot of mailboxes ending up as linked mailboxes even though their not.The official TechNet article on this explains how to disconnect the mailbox and re-attach it to the user account correctly as a user mailbox. http://technet.microsoft.com/en-us/library/bb201749(EXCHG.80).aspxAnother way to make this appear to be corrected is to manually change the “Recipient Type” AD property on the affected mailboxes. This though, is unsupported.Using the official method from Microsoft results in the loss of any specific mailbox information such as SMTP, x400 & x500 addresses, mailbox sizes and any other individual mailbox settings.Only e-mail addresses and mailbox sizes were important to me (I must admit, I forgot about mailbox sizes at first). I came up with the script below that would properly conver…

Creating a Windows PE 3 Bootable USB device

I’ve used Windows PE for a long time. And I’ve grown to love it. It’s an extremely useful tool, not just for OS installation, but for diagnostics.Since there’s a version of WinPe for x64 & x86 (& itanium) I like to keep both x64 & x86 on my USB stick. Essentially copying the each version to the root of the USB stick as needed. Meaning at any one time I have three copies of WinPE on my USB stick. Other applications I copy directly to my USB stick, so that I don’t have to remount the image every time i need another application added.Shortly after Windows 7 was released came a new version of WinPE, WinPE 3.0 on the Windows Automated Installation Kit.Preparing the USB stick. You’ll need to prepare the USB stick. To do this open a command prompt using Run As Administrator and use the following commands.diskpart
list disk
select disk 7
clean
create partition primary
select partition 1
active
format quick fs=fat32
assign
exitMake sure…

Duplicate legacyExchangeDN Properties

Had a case recently that wasn’t immediately obvious to resolve.We had reports of a user that no one was able to e-mail due to duplicate addressing. At first look there was no duplicate addresses on the object. We were receiving the following NDR’sThere is a problem with the recipient's e-mail system. More than one user has this e-mail address. The recipient's system administrator will have to fix this. Microsoft Exchange will not try to redeliver this message for you. Please provide the following diagnostic text to your system administrator and then try resending the message after the problem has been resolved.IMCEAEX-_O=ORGNAME_OU=EXCHANGE+20ADMINISTRATIVE+20GROUP+20+28FYDIBOHF23SPDLT+29_CN=RECIPIENTS_CN=NAME+2ESURNAME@DOMAIN.SUFFIX
#550 5.1.4 RESOLVER.ADR.Ambiguous; ambiguous address ##Further investigations showed that there was a problem with the way that the user was shown in the Exchange Address Books. It seemed as though the object was being confused with another …