"User must change password at next logon" grayed out on password f

Discussion in 'Windows Small Business Server' started by NickR, Dec 8, 2006.

  1. NickR

    NickR Guest

    I have run across a perplexing minor issue that may be a bug in Windows.

    I have delegated the permission to "reset user passwords and force password
    change at next logon" to a security group on an OU. This works fine, except
    for one thing...

    When a delegated user belonging to that security group right-clicks on a
    username in Active Directory Users and Computers, that user is presented with
    a form consisting of the new password field, confirm password field, and a
    checkbox labeled "User must change password at next logon". This checkbox is
    grayed out.

    However, if that same delegated user opens the user properties for that
    target user account, he can go to the account tab and the checkbox is enabled

    I have not found a way to enable the checkbox on the reset password form,
    short of giving the delegated user full control of the user accounts. I know
    that this is a minor issue, but my customer is pressuring me to fix this.

    Thank you,
    NickR, Dec 8, 2006
    1. Advertisements

  2. NickR

    NickR Guest

    Anyone? Help?
    NickR, Dec 12, 2006
    1. Advertisements

  3. They need "Write Account Restrictions" permissions on user objects to
    force the user to change the password. That should be what that form
    is looking for, and why it is greyed out.

    As to doing it under the full 'Properties' screen.....it may not be
    greyed out there for them but have you actually confirmed that it will
    force the user to change their password (or even save the setting for
    that matter) if the delegated user attempts to check that box and save

    See http://tinyurl.com/y32qwo for more info.

    Matt Ridings - MSR Consulting
    MSR Consulting SBS Support, Dec 12, 2006
  4. NickR

    NickR Guest

    The user has the "Write Account Restrictions" permission already set. In
    fact, I've experimented with just about every one of the 500000+ permissions,
    and the ONLY permission (that I've found) that will enable that checkbox on
    the change password form is the full control permission.

    Yes, the user is able to check the checkbox and save the settings under the
    account tab of the user properties box. It's very strange.

    NickR, Dec 12, 2006
  5. I was pretty sure that that particular piece of code on those forms was
    the same across the windows server versions.....but perhaps I'm
    mistaken if it's truly operating the way you're saying. It's more
    likely that the form is the same but there is a particular issue with
    the way that sbs handles permission that reports it differently to the
    form and you've uncovered a bug

    If you'll tell me the exact permissions you've added, and through what
    mechanisms I'll setup a test user with the same config on one of my
    boxes and let you know if the same thing happens.

    Matt Ridings - MSR Consulting
    MSR Consulting SBS Support, Dec 12, 2006
  6. NickR

    NickR Guest

    I was able to recreate the problem in a test environment, so I know it's not
    just that one server.

    Basically, I simply created a security group called "Password Admins" and
    then went into AD users and computers, right-clicked on an OU that contained
    some users and selected to "Delegate Permissions". On the next screen, I
    selected the "Password Admins" group I created and clicked NEXT. Then on the
    next screen, under "Delegate the following common tasks" heading, I placed a
    check in the checkbox for "Reset user passwords and force password change at
    next logon". The last step is to click FINISH.

    Now any user that is a member of the "Password Admins" group can reset a
    user password, but that checkbox will be grayed out on the change password
    form. It will be available if they bring up the user properties on the
    account tab though.

    NickR, Dec 12, 2006
  7. OK, and how are those users whom you've delegated accessing the user
    list to get to the form? (just want to make sure I'm following the same

    Matt Ridings - MSR Consulting
    MSR Consulting SBS Support, Dec 12, 2006
  8. NickR

    NickR Guest

    The user(s) have AdminPak.MSI installed on a local PC. They would use Active
    Directory Users and Computers.
    NickR, Dec 12, 2006
  9. Admin Pack "SP1" or not?
    MSR Consulting SBS Support, Dec 12, 2006
  10. You've got me confused. Where in your process are you adding the "Write
    Account Restrictions" permission that you said you had done?

    That's a pretty involved step by step process so I'm confused as to why
    you aren't mentioning it now?

    also noticed I pasted wrong link earlier, should have been


    Matt Ridings - MSR Consulting
    MSR Consulting SBS Support, Dec 12, 2006
  11. I don't think there's much doubt it's a bug, I'm just wondering i
    there's a way around it thus all the different attempts

    By the way, recreated in 3 different SBS environments if that help
    ease your mind any

    Matt Ridings - MSR Consultin
    MSR Consulting SBS Support, Dec 12, 2006
  12. NickR

    kj Guest

    Perhaps, but I've not seen it on the fix list. A new build was released
    today. Time permitting I'll try testing in the virtual lab.

    Was it with both adminpack.msi rtm and SP1?
    kj, Dec 12, 2006
  13. Yes (in regards to the admin packs)

    Not sure about getting your hopes up with with the next service pac
    Nick as I haven't seen this listed anywhere. I would recommen
    'officially' submitting the issue to MS

    Matt Ridings - MSR Consultin
    MSR Consulting SBS Support, Dec 12, 2006
  14. I haven't heard a MS representative on this thread clamoring to give it
    to the developers yet have you? :)....

    Seriously though, it's a good question. Where *is* the best place for
    a customer/consultant to submit/confirm a legitimate bug for SBS?
    Would seem a pain to go through support services and repeat steps 1
    through 8, rinse, repeat, just so it can go on a list.

    Terence, any idea?.

    Matt Ridings - MSR Consulting
    MSR Consulting SBS Support, Dec 12, 2006
  15. Is this an SBS server? If so, you probably know this already, but if you
    apply the power users template to a user in SBS (or, if they belong to that
    domain security group) - they can log onto the SBS via TSweb and be
    presented with a 'power user' console that has the change user password
    functionality one click away.
    Les Connor [SBS MVP], Dec 12, 2006
  16. Les Connor [SBS MVP], Dec 12, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.