Windows 2000 Professional with NSA Win2k Professional security template applied. New users are required to change password on first logon, but when they try they get a message that they do not have permissions to change the password. Which setting within the registry or security template would be used to change this? Thanks! K.C.

If NT server, in User manager for Domains, is "user cannot change password" selected in that user's profile? If 2kServer, in Active Directory Users and Computers, is it selected on the Account tab of the user's profile?

This is a standalone notebook. No connections to any servers. When "User must change password at next logon" is checked, all others, including "User cannot change password" are grayed out and empty.

Hmm..Stand-alones...In a domain setup you can select both "change at logon" and "cannot change"..(isn't that stupid?)...Do you have SP2 on the 2k boxes? There are a lot of password bugs that SP2 fixes... Klingon

This isn't a bug. You can select both 'change' and 'cannot change' but when you apply it, it tells you and doesn't allow it. Your question regarding - User must change password at next logon" is checked, all others, including "User cannot change password" are grayed out and empty - is expected behaviour. If you are saying User must change, then it makes sense to gray out 'cannot change'. I'm not familiar with the template you referrence called the NSA template. I assume there is something in there restricting the changing of passwords. I would look through the template settings carefully for that.

That's funny...I never tried applying it before...Here I've been thinking, "How stupid is that!!??", but I guess they did a little thinking after all...

I also had this problem. Actually, my problem was with win2k server (domain) and might not be the exact problem, but hopefully it will point you in the right direction. My group policy did not allow non-administrators to log on locally. It was really strange that it didn't say this, but that the user just couldn't change the password. You might want to turn on security auditing so that you can get a detailed log in the event log. This might help you as well. Also, if you are using a domain, group policy is dependent on NT File Replication System (ntfrs), which is dependent on Active Directory (ds), which is dependent on DNS. Any problems with these will cause your group policy to not execute which could also cause this problem. Look at the system and application logs to see if you have problems in these areas. Hope this helps, Paul