I have a Win2k8R2 server configured as PDC and Terminal Services (yes, i know.). My manager would like users to be able to reset their own passwords by using the Start Menu -> Windows Security -> Change password.
I don't argue with this in principle. He's attempted to change his own password, only to be met with the "Your password is not in keeping with Complexity Rules" message. I've tested from another account the same way, and also cannot change passwords of unprivileged users.
I can change users' passwords by logging on as my account (which is an Administrator, as well as Enterprise and Domain admin), using Active Directory Users and Computers, and then resetting their password.
If they want to reset their password, I'm quite happy for them to come over and do it that way, we're a small team of about 8, it's not a massive task.
However, even if i disable Password Complexity by editing Group Policy, users still can't change their own passwords.
Questions:
- What magic setting am I missing to allow them to change their own password?
- Is this normal for users to have to visit an Administrator for a password reset? (This is how it worked at a number of other companies i've worked for)
- Is there a better way to do this? I don't like having insecure passwords.
Best Answer
I assume the GPO you were changing was the Default Domain GPO; that is the only one that affects domain userid's. GPO's on OU's only affects local accounts on domain-member computers that are in that OU.
Although domains in Win2008 mode can do OU-based policy however I have not researched how nor the details.