Article ID: 176978
Article Last Modified on 2/23/2007
APPLIES TO
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Professional Edition
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows NT Workstation 3.51
- Microsoft Windows NT Workstation 4.0 Developer Edition
- Microsoft Windows NT Server 3.51
- Microsoft Windows NT Server 4.0 Standard Edition
- Microsoft Windows 95
This article was previously published under Q176978
Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows Registry
SYMPTOMS
Clients logging on and attempting to change their password receive the following error:
Event Viewer Security log shows Event ID 577 - Security-Failure. Audit-Privilege.
CAUSE
C00000BE indicates STATUS_BAD_NETWORK_PATH. When users change passwords, they connect directly to the primary domain controller.
RESOLUTION
To work around this problem, do one of the following:
- Check physical connectivity by pinging the primary domain controller by IP address and name.
- Check connectivity through NET USE * \\PDCNAME\Share at an MS-DOS command prompt.
- Review entries in the primary and secondary WINS servers for inaccurate records.
- Under User Manager for Domains, Policies, Account, click to clear the Users must log on in order to change password check box.
- RestrictAnonymous has been set to 1 on the PDC, which prevents the user from connecting to the PDC with a Null Session from the client workstation. The user will not be able to change his or her password before he or she logs on to the domain. The user can change his or her password after he or she logs on to the domain because he or she will not be connecting to the PDC with a null session at that time; the user domain credentials will be passed to the PDC while trying to set up the session.
For additional information about RestrictAnonymous, please see the following articles in the Microsoft Knowledge Base:
143474 Restricting Information Available to Anonymous Logon Users
For additional information, see the following article or articles in the Microsoft Knowledge Base:
135060 Access Denied Attempting to Change Client Domain Password
MORE INFORMATION
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk. The following registry key is used to maintain control over the minimum security that is negotiated for programs by using NTLMSSP:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\LSA\MSV1_0
If you have set the following value, you will not be able to change the password on the Windows NT 4.0-based clients:
Value: NtlmMinServerSec
Value Type: REG_DWORD
Number Valid Range: same as NtlmMinClientSec
Default: 0 0x20000000 128-bit encryption
If you try to change the password, you receive an "error: C00000BE" error. After you delete this value and restart the PDC emulator, you can change the password on the down-level clients. For additional information about how to disable LM authentication on Windows NT, click the following article number to view the article in the Microsoft Knowledge Base:
147706 How to Disable LM Authentication on Windows NT
Keywords: kbprb KB176978
