Microsoft KB Archive/244990

{|
 * width="100%"|

-

The information in this article applies to:


 * Microsoft Windows NT Workstation version 4.0

-

SYMPTOMS
When you attempt to change an expired password on a client computer running Microsoft Windows NT Workstation 4.0, you may receive the following error message:

You do not have permission to change your password.

When this occurs, you must have your system administrator change your password. Note that this issue may affect only some users in the domain.

CAUSE
This behavior can occur when a client computer running Windows NT Workstation 4.0 Service Pack 3 (SP3) attempts to connect to domain controllers that have Windows NT 4.0 Service Pack 4 (SP4) installed and the RestrictAnonymous registry entry enabled.

RESOLUTION
IMPORTANT: This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information about how to do this, view the "Restoring the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help topic in Regedt32.exe.

WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Note that you should back up the registry before you edit it. If you are running Windows NT, you should also update your Emergency Repair Disk (ERD).

To work around this behavior:


 * 1) At the appropriate domain controller, start Registry Editor (Regedt32), and then locate and click the following registry key:
 * 2) Click RestrictAnonymous, and then click Delete on the Edit menu.
 * 3) Click Yes to confirm the deletion.
 * 4) Quit Registry Editor.
 * 5) Restart the domain controller.

MORE INFORMATION
The purpose of the RestrictAnonymous registry entry is to configure the local system policy for whether to require authentication for common enumeration functions. When you set the RestrictAnonymous value to 1, anonymous logon users who try to obtain a list of account names by using the graphical user interface (GUI) tools for security management receive an 'Access denied' error message. When you set the RestrictAnonymous value to 0 or leave the value undefined, anonymous users can list account names and enumerate share names.

Note that some Win32 programming interfaces support individual name lookup and do not restrict anonymous connections even with the RestrictAnonymous value set to 1. However, Windows NT-based networks that use a multiple-domain model can still restrict anonymous connections with no loss of functionality. To do this, system administrators in resource domains need to add members of trusted account domains to specific local groups before changing the RestrictAnonymous value to 1. Users who log on through accounts from trusted account domains can then continue to use authenticated connections to obtain a list of account names for security access control management.

For additional information, please see the following article in the Microsoft Knowledge Base:

"Q143474 Restricting Information Available to Anonymous Logon Users" Additional query words: nt 4.0 change password access

Keywords         : access nt 4.0 password Version          : winnt:4.0 Platform         : winnt Issue type       : kbprb
 * }