forced cross domain password change....

hi all,

we are running 2 Win2003 native mode domains with a 2 way trust. we
have recently forced a number of users to change their password ("User
must change password at next logon").


problems:


1) some users have computers in a different domain than the one they
logon to. when logging in they are prompted to change their password,
but then get "You do not have permission to change your password". i
read that this may be related to the fact the change password command
is actually intiated by the local computer (to the domain controller)
not the actual user credentials. any ideas on how to make this work?


2) we would like to allow remote users to change their password with
the IIS change password function (iisadmpwd). however, this does NOT
work if the parameter "User must change password at next logon" is
invoked. that is a bummer.


i have done some research and Googled around, but haven't found any
documentation that specifically addresses these issues.
any ideas on how i can smooth these issues out? any help would be
greatly appreciated.


best,
putt

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> hi all,
>
> we are running 2 Win2003 native mode domains with a 2 way trust. we
> have recently forced a number of users to change their password ("User
> must change password at next logon").
>
>
> problems:
>
>
> 1) some users have computers in a different domain than the one they
> logon to. when logging in they are prompted to change their password,
> but then get "You do not have permission to change your password". i
> read that this may be related to the fact the change password command
> is actually intiated by the local computer (to the domain controller)
> not the actual user credentials. any ideas on how to make this work?

Having lived in environments where user accounts were
in one domain and computers in another many times (and
for many years) I have NEVER seen this happen.

My first guess would be your users are NOT actually
authenticated properly (likely due to some DNS problem).

Other than that I would like to see your reference for where
you "read this may be...."

What was the source of that info and what was the full
explanation there?

> 2) we would like to allow remote users to change their password with
> the IIS change password function (iisadmpwd). however, this does NOT
> work if the parameter "User must change password at next logon" is
> invoked. that is a bummer.

My comments above were in reference to a user LOGGING
on to a computer (Cntl-Alt-Del) and not to using IIS where
they are merely AUTHENTICATING (not actually logging
onto the computer.)


> i have done some research and Googled around, but haven't found any
> documentation that specifically addresses these issues.
> any ideas on how i can smooth these issues out? any help would be
> greatly appreciated.

My first thoughts would include running DCDiag on every DC,
and NetDiag on affectied clients machines, capturing the output,
and searching for FAIL, WARN, or IGNORE (fix those problems.)



--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

>
> best,
> putt
>

Putt,

I am with Herb on this...it should not matter that the user account objects
are in one Domain and the computer account objects are in another...

--
Cary W. Shultz
Roanoke, VA 24012

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> hi all,
>
> we are running 2 Win2003 native mode domains with a 2 way trust. we
> have recently forced a number of users to change their password ("User
> must change password at next logon").
>
>
> problems:
>
>
> 1) some users have computers in a different domain than the one they
> logon to. when logging in they are prompted to change their password,
> but then get "You do not have permission to change your password". i
> read that this may be related to the fact the change password command
> is actually intiated by the local computer (to the domain controller)
> not the actual user credentials. any ideas on how to make this work?
>
>
> 2) we would like to allow remote users to change their password with
> the IIS change password function (iisadmpwd). however, this does NOT
> work if the parameter "User must change password at next logon" is
> invoked. that is a bummer.
>
>
> i have done some research and Googled around, but haven't found any
> documentation that specifically addresses these issues.
> any ideas on how i can smooth these issues out? any help would be
> greatly appreciated.
>
>
> best,
> putt
>

Have you checked the rights that SELF has to the user objects?

It should have (at least) Read and Change Password.

neil




"(E-Mail Removed)" wrote:

> hi all,
>
> we are running 2 Win2003 native mode domains with a 2 way trust. we
> have recently forced a number of users to change their password ("User
> must change password at next logon").
>
>
> problems:
>
>
> 1) some users have computers in a different domain than the one they
> logon to. when logging in they are prompted to change their password,
> but then get "You do not have permission to change your password". i
> read that this may be related to the fact the change password command
> is actually intiated by the local computer (to the domain controller)
> not the actual user credentials. any ideas on how to make this work?
>
>
> 2) we would like to allow remote users to change their password with
> the IIS change password function (iisadmpwd). however, this does NOT
> work if the parameter "User must change password at next logon" is
> invoked. that is a bummer.
>
>
> i have done some research and Googled around, but haven't found any
> documentation that specifically addresses these issues.
> any ideas on how i can smooth these issues out? any help would be
> greatly appreciated.
>
>
> best,
> putt
>
>