Microsoft KB Archive/253512

From BetaArchive Wiki
Knowledge Base

Cannot Turn Off "User Cannot Change the Password" Option After Windows 2000 Upgrade

Article ID: 253512

Article Last Modified on 2/27/2007


  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server

This article was previously published under Q253512


When you upgrade your Microsoft Windows NT 4.0 domain to Windows 2000 Active Directory and you click to clear the User cannot change the password check box in Active Directory, the user may still be unable to change his or her password. In addition, the Active Directory user interface shows that the check box is cleared, but the user cannot change the password.


This behavior occurs when you turn on the User cannot change the password option in Windows NT 4.0. This action creates a denied Access Control Entry (ACE) for changing the password, and removes the allowed ACE for changing the password. After you upgrade to Active Directory and you turn off the User cannot change the password option, the user interface removes the denied ACE but does not add the allowed ACE.


To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

NOTE: To view the version, right-click the file in Windows Explorer, click Properties, and then click Version.


Microsoft has confirmed that this is a problem in Microsoft Windows 2000. This problem was first corrected in Windows 2000 Service Pack 1.


When you turn off the User cannot change the password option after the upgrade, look for the allowed ACE in the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in. Add the allowed ACE if it is absent, and then remove the denied ACE.

Keywords: kbhotfixserver kbqfe kbbug kbfix kbui kbwin2000sp1fix KB253512