DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 198941 - Last Review: November 1, 2006 - Revision: 3.4

Hotfix Download Available
View and request hotfix downloads
 
This article was previously published under Q198941

On This Page

SYMPTOMS

When a user on a computer running Windows NT Workstation logs on with an expired password and is prompted to change the password, he or she receives either of the the following errors:
You do not have permission to change your password.
-or-
Unable to change the password on this account (C00000BE). Please consult your system administrator.

CAUSE

Users can receive the above error messages under a variety of conditions. The underlying cause for these errors is a security registry change involving the RestrictAnonymous value. For additional information about the RestrictAnonymous value, please see the following articles in the Microsoft Knowledge Base:
143474  (http://support.microsoft.com/kb/143474/EN-US/ ) Restricting Information Available to Anonymous Logon Users

Scenario 1

In this scenario, the following conditions are true:
  • RestrictAnonymous is enabled on the PDC.
  • The primary domain controller (PDC) is running Service Pack 3 (SP3).
  • The clients are running SP3.
  • Strong passwords are enforced on the domain, either by Passfilt.dll or Passprop.exe from the Windows NT resource kit, or a minimum password length is specified in the Account Policy in User Manager for Domains.
If the client attempts to change an expired password when logging on and it does not meet the password requirements, the following error message will be displayed:
You do not have permission to change your password.
If the password meets the password requirements, the password should be changed successfully. The error text is reported incorrectly and should state that the user's password does not meet the domain policy. This issue is addressed in SP4.

Scenario 2

In this scenario, the following conditions are true:
  • RestrictAnonymous is enabled on the PDC.
  • The PDC is running Service Pack 4 (SP4).
  • The clients are running SP3.
If the client attempts to change an expired password when logging on, the following error message will be displayed:
Unable to change the password on this account (C00000BE). Please consult your system administrator.
Because a null session is used for this password change, the operation fails.

Scenario 3

In this scenario, administrators can have the "Users must log on in order to change password" account policy enabled. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
135060  (http://support.microsoft.com/kb/135060/EN-US/ ) Access Denied Attempting to Change Client Domain Password

RESOLUTION

To work around this problem, remove the RestrictAnonymous entry or set the value to 0, and then restart the PDC. This workaround will resolve both scenarios above. In scenario 2, upgrading the clients to Service Pack 4 will also resolve the problem.

MORE INFORMATION

For additional information, see the following article or articles in the Microsoft Knowledge Base:
196289  (http://support.microsoft.com/kb/196289/EN-US/ ) PRB: SP3 Clients Cannot Change Passwords - Error C00000BE
161990  (http://support.microsoft.com/kb/161990/EN-US/ ) How to Enable Strong Password Functionality in Windows NT
174076  (http://support.microsoft.com/kb/174076/EN-US/ ) Invalid Password Message When Strong Passwords Are Required
158388  (http://support.microsoft.com/kb/158388/EN-US/ ) Useful Resource Kit Utilities for Domain Administrators
812530  (http://support.microsoft.com/kb/812530/ ) You Do Not Have Permission to Change Your Password" Error Message When You Change Your Password At Logon

APPLIES TO
  • Microsoft Windows 2000 Server
  • Microsoft Windows NT Server 4.0, Terminal Server Edition
  • Microsoft Windows NT Server 4.0 Standard Edition
  • Microsoft Windows NT Workstation 4.0 Developer Edition
Keywords: 
kbhotfixserver kbqfe kbwin2ksp4fix kbsecurity kbprb KB198941
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support