Active directory ACCESS DENIED, RRS feed

  • Question

  • Hi hello cind of new here but i have a problem that 4 system admins cant figure out, but its probly something easy.

    the problem:

    User get promted to change password by windows because the old has expired.
    User gets ACCESS DENIED when trying to change password.
    User goes to either me or my collouges and tell us the problem and we change password for user without any trouble.

    Its like this for every user if they arent admin in the domain, the check box for user cannot change his password is unchecked.

    i have tried to delegete control to the ou so users can change and reset password.

    we are sitting on
    Win 2008 r2 domain controller  please help
    4 sys admins

    Wednesday, July 5, 2017 7:37 AM

All replies

  • Hi,

    I had a similar issue with this and found out it was due to Group Policy where I set the password minimum age. I changed it to 0 (meaning it can be changed anytime).

    Let me know if that works.


    Wednesday, July 5, 2017 7:45 AM
  • seems not to be the problem here its alrdy on 0,

    / MR.Mild

    Wednesday, July 5, 2017 9:01 AM
  • You can try the following:

    1. Create an OU and set to block all GPO > put one of the user/computer in that OU and run gpupdate on the client PC then test.

    2. Remove the user from all security groups then test.

    3. Check box "user cannot change password", apply changes then uncheck the box and apply changes again. See if that works.

    Note: If you have multiple DC's, you may need to wait for replication before testing each steps.

    Hope one of the above resolves your issue.


    • Proposed as answer by Isaac_A Thursday, July 6, 2017 3:57 AM
    Wednesday, July 5, 2017 11:26 AM
  • it worked with option 1 create ou and block all so it seems to be an gpo lurking.

    but it seems to work to change password even tho it complains. because when we try to log in with the old after the error we get warning for bad password and when we try the new it works just fine....

    im lost

    Wednesday, July 5, 2017 12:37 PM
  • I'm glad you've narrowed it down!! Now is a matter of reviewing the GPO's and figure out which one is causing it. I have a suspicion that it's in relation to your password policy. If the admins are changing passwords via AD console, this usually bypasses all GPO settings - that's why Admins can change the password but end-users can't. Isaac
    • Proposed as answer by Isaac_A Wednesday, July 5, 2017 2:34 PM
    • Edited by Isaac_A Wednesday, July 5, 2017 2:35 PM
    • Unproposed as answer by Isaac_A Thursday, July 6, 2017 3:57 AM
    Wednesday, July 5, 2017 2:33 PM
  • yeah im looking over the policies as i type this and the only one that has any passwd change in it is 1 gpo over the entire domain with the options:

    Computer Configuration-->Windows settings -->Security setting -->

    Acount Policies/password

    Enforce : 5 password rememberd

    Max : 45 days

    min : 0 days

    atleast : 6 chars

    passwd must meet complexety = true

    store passwd = false


    Thursday, July 6, 2017 6:35 AM
  • Hi Mr Mild,

    Please advise whether you've resolved this issue? If so, please mark as answered.



    Tuesday, August 7, 2018 10:57 PM