Microsoft KB Archive/245695

= Error Message: "Access is Denied" When Changing Password =

Article ID: 245695

Article Last Modified on 6/23/2005

-

APPLIES TO


 * Microsoft Internet Information Server 4.0

-



This article was previously published under Q245695



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx



SYMPTOMS
When you use the password notification pages that install with the Windows NT Option Pack (NTOP), the following error message may be returned when you submit your password change:

Internet Service Manager

for Internet Information Server 4.0

Access is Denied

Back to http://



CAUSE
This error occurs because the account that you wanted to change does not have permissions to change its own password on the domain controller.



RESOLUTION
On the domain controller, follow these steps:
 * 1) Open User Manager for Domains.
 * 2) Select, and the select Account.
 * 3) At the bottom of the Account Policy page, disable the User must log on in order to change password option.
 * 4) Click OK to save changes.
 * 5) Try changing the user's password again using the IIS Change Password Web application.



MORE INFORMATION
In order to access the Password Notification application, the Web site must be using either Basic\Clear Text or NT Challenge Response. If the password expiration is within 14 days (default setting), then the user will be prompted to change their domain password using this Web application. In order to manually view this Web application, point your browser to the following:

http:// /iisadmpwd/anot3.htr

When IIS attempts to change or reset the user's domain account password, the user account in which the Web application was accessed is not passed onto the domain controller for authentication. In other words, there is no impersonation taking place on behalf of the user account. Instead, when the user types in the account name, old password, and new password, an encrypted token is created containing all of this information, and that is sent to the domain controller for validation. If the user specified is either a domain controller administrator, or if the User must log on in order to change password is disabled, then the password can be successfully changed.

If a domain user has successfully logged onto a computer in the domain, then they can use the operating system's change password utility to change the password even if User must log on in order to change password is selected. This is because the user has already "logged on to" the domain controller, which is different than accessing it through a Web browser.

Additional query words: ism, PasswordChangeFlags, PasswordExpirePrenotifyDays

Keywords: kbprb KB245695

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.