The subject behavior will occur if both the following are true:
- You enabled the User must change password at next logon option.
- The Everyone group and/or the Authenticated Users group does NOT have the Access this computer from the network rights on an authenticating domain controller.
To resolve this problem:
1. Open the Active Directory Users and Computers snap-in.
2. Right-click the Domain Controllers container and press Properties.
3. Select the Group Policy tab.
4. Select the Default Domain Controllers Policy and press the Edit button.
5. Navigate through Computer Configuration / Windows Settings / Security Settings / Local Policies / User Rights Assignment.
6. Double-click Access this computer from the network.
7. If either the Everyone or Authenticated Users group is missing, add them and press OK. 8. Close the Properties dialog and exit the snap-in.
9. On a domain controller, run SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE.
NOTE: For Windows Server 2003, run gpudate /Target:Computer.
NOTE: See When you are prompted to change your password when logging on to a Windows Server 2003 domain controller from Windows XP SP1, you receive 'You do not have permission to change your password'?