Problem: A user cannot change his password

Problem:

A user cannot change his password

"response message: Passwort ändern fehlgeschlagen. Der Grund konnte nicht festgestellt werden. Für den Fall, dass es hilft, hier die originale Fehlernachricht: Not permitted to
change password. Errorcode 20: Das neue Passwort konnte nicht gesetzt werden"

Investigation:

Testing with kpasswd

#: kpasswd cscheini
Access denied : Not permitted to change password

Looking into the ntsecurityDescriptor:

ldbsearch -H /var/lib/samba/private/sam.ldb cn=cscheini ntSecurityDescriptor
# record 1
dn: CN=cscheini,CN=Users,DC=schein,DC=ig

nTSecurityDescriptor: O:DAG:DAD:ARAI(OD;;CR;ab721a53-1e2f-11d0-9819-00aa004052
9b;;PS)(OD;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)(A;;RPWPCRCCDCLCLORCW
OWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSD
DTSW;;;AO)(A;;RPLCLORC;;;PS)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)
[…]

The Problem is
(OD;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)
Object Deny;;Control-Right(apply special authorization);Change password;;Personal Self
vs
(OA;;CR;ab721a54-1e2f-1 1d0-9819-00aa0040529b;;PS)
Object Allow;;Control-Right(apply special authorization);Change password;;Personal Self

For more Information: User-Change-Password extended right - Win32 apps | Microsoft Docs

Permits changing password on user account.

CN ___________________ User-Change-Password
Display-Name ___________ Change Password
Rights-GUID ____________ab721a53-1e2f-11d0-9819-00aa0040529b

Solution:

This means that the user was explicitly forbidden to change his password.
You have to check the user with the RSAT tools:

double-click on the user. Click the Account tab. Under Account options, check the box beside User cannot change password.

1 Like