Users on windows 2008 R2 server cannot change own password
I assume the GPO you were changing was the Default Domain GPO; that is the only one that affects domain userid's. GPO's on OU's only affects local accounts on domain-member computers that are in that OU.
Although domains in Win2008 mode can do OU-based policy however I have not researched how nor the details.
Related videos on Youtube
02 : 36
02 : 27
07 : 02
04 : 01
01 : 32
Tom O'Connor
You can contact me by email for consultancy and similar requests, on [email protected] if you so desire. If you've got a question, or require linux consultancy, don't hesitate to get in touch. Here's a snippet from my CV: Good leadership skills and able to efficiently work alone or as part of a multi-disciplinary team. Extensive linux, networking and virtualization knowledge in parallel with windows desktop and server administration experience. Programming: Python, Django, Java, Perl, C, C++, Qt, MySQL, Postgres, XHTML, CSS, Javascript, Linux/UNIX shell scripting, SVN, CVS, Bazaar, Hudson, Selenium Applications: Adobe Creative Suite, Microsoft Office, Blackberry Enterprise Server, Microsoft Exchange, OpenOffice, Pro/Desktop CAD and electronic circuit design packages such as Proteus ISIS Operating Systems: Ubuntu and Debian Linux, VMware ESX & ESXi, XenServer, KVM, Microsoft Windows 7/Vista/XP/2000 and Server 2008, Apple OS X, Solaris, and other Linux/UNIX distributions. Network Technologies: iSCSI SAN, GlusterFS, Cisco IOS, Monitoring with Nagios, Munin and Zabbix, MySQL replication, Message Queues (RabbitMQ), High Availability & Scalable Network Architecture
Updated on September 17, 2022Comments
-
Tom O'Connor over 1 year
I have a Win2k8R2 server configured as PDC and Terminal Services (yes, i know.). My manager would like users to be able to reset their own passwords by using the Start Menu -> Windows Security -> Change password.
I don't argue with this in principle. He's attempted to change his own password, only to be met with the "Your password is not in keeping with Complexity Rules" message. I've tested from another account the same way, and also cannot change passwords of unprivileged users.
I can change users' passwords by logging on as my account (which is an Administrator, as well as Enterprise and Domain admin), using Active Directory Users and Computers, and then resetting their password.
If they want to reset their password, I'm quite happy for them to come over and do it that way, we're a small team of about 8, it's not a massive task.
However, even if i disable Password Complexity by editing Group Policy, users still can't change their own passwords.
Questions:
- What magic setting am I missing to allow them to change their own password?
- Is this normal for users to have to visit an Administrator for a password reset? (This is how it worked at a number of other companies i've worked for)
- Is there a better way to do this? I don't like having insecure passwords.
-
Admin about 14 yearsTo answer your question 2: it entirely depends on your company policy. We have set it up so yes, users can hit the three-key salute and change passwords at will. If in question 3: you mean complexity requirements, that's why they're there, to assist in not having insecure passwords (although users still find a way to make them less secure). The reason I'm putting this in as a comment is because I don't know the answer to question 1:, unless there's something anomalous with that server's local policy that's overriding domain policy.
-
Tom O'Connor about 14 yearsYep, Default Domain GPO.