Password Management in Windows 2000

Windows 2000 Logon Passwords
Microsoft Knowledge Base Article: 258289 - A new Windows 2000 installation, or a Windows 2000 upgrade from Microsoft Windows 95 or Microsoft Windows 98, may unexpectedly prompt you for a password. The following notification occurs when you log on to the Windows 2000-based computer: 

Changing a Password from a Remote NT Computer
Microsoft Knowledge Base Article: 149176 - You can change a Windows NT User Account password that is on any Windows NT computer from any other Windows NT computer regardless of whether the User Account is on a Workstation, a stand-alone Server, or a Windows NT domain controller. 

Disabling Save Password Option in Dial-Up Networking
Microsoft Knowledge Base Article: 172430 - When you dial a phonebook entry in Dial-Up Networking (DUN), you can use the "Save Password" option so that your DUN password is cached and you will not need to enter it on successive dial attempts. For security, administrators may want to prevent users from caching passwords.

File and Print Services for NetWare Password Update 
This update addresses the "Correct Password Not Set on Services for NetWare Version 5" issue in Windows 2000. When you use Microsoft Management Console (MMC) on a computer running File and Print Services for NetWare (FPNW) to configure a user account with the NetWare-compatible logon option enabled, the user may not be able to use an existing password to log on to a server running the NetWare operating system. Installing this update allows the user to logon to the NetWare server without incident. Source" Microsoft.com

Granting Change Password Permissions to the Everyone Group
Microsoft Knowledge Base Article: 242795 - When you grant the Change Password right to the Everyone group, all users and computer accounts, including domain controllers and anonymous users, are able to change passwords for computer and user accounts. To maintain security, users can only change the password if they know the current password

How to Change User Password at Command Prompt
Microsoft Knowledge Base Article: 149427 - Only administrators can change domain passwords at the Windows NT command prompt with the NET USER command. To change a user's password at the command prompt, log on as an administrator and type: NET USER <UserName> * /domain. You will then be prompted to type a password for the user. Enter the NEW password, not the existing password. 

HOWTO: Change a Windows 2000 User's Password Through LDAP
Microsoft Knowledge Base Article: 269190 - You can set a Windows 2000 user's password through the Lightweight Directory Access Protocol (LDAP) given certain restrictions. This article describes how to set or change the password attribute. 

How to Change the Recovery Console Administrator Password on a Domain Controller
Microsoft Knowledge Base Article: 239803 - When you promote a Windows 2000 Server-based computer to a domain controller, you are prompted to type a Directory Service Restore Mode Administrator password. This password is also used by Recovery Console, and is separate from the Administrator password that is stored in Active Directory after a completed promotion.

How to Disable Internet Explorer Password Caching
Microsoft Knowledge Base Article: 229940 - The dialog box that prompts you for your security credentials contains a check box to allow you to save the password so you do not have to type the password again when you attempt to use the same document. This is known as "password caching 

How to Disable Screen Saver Passwords By Using Policies
Microsoft Knowledge Base Article: 272304 - You can make screen saver password locks unavailable on systems in a site, domain, or organizational unit (OU), by using the policies available in Windows 2000. 

HOW TO: Prevent Users From Changing a Password Except When Required 
Microsoft Knowledge Base Article: 309799 - This step-by-step article describes how to prevent users from changing their password except when they are required to do so. Centralized control of user passwords is a cornerstone of a well-crafted Windows 2000 Security scheme. You can use a Windows 2000 Group Policy to set minimum and maximum password ages. A minimum password age prevents users from changing passwords too frequently. Frequent password changes can be used by users to circumvent a password-history setting and lead to more calls to the help desk because of forgotten passwords. 

How to Turn Off Password Expiration on Windows 2000 Professional in a Workgroup Environment 
Microsoft Knowledge Base Article: 285395 - This article explains how to turn off password expiration on a Microsoft Windows 2000 Professional-based computer in a workgroup environment. 

How to Use the Cusrmgr.exe Tool to Change Administrator Account Password on Multiple Computers
Microsoft Knowledge Base Article: 272530 - You can use the Cusrmgr.exe tool that is included with the Microsoft Windows 2000 Resource Kit to remotely change the account properties of a user in a Windows NT 4.0 or Windows 2000 domain, including the password. You can also use this tool in a batch (.bat) file to process account changes on multiple servers or workstations. Note that the Cusrmgr.exe tool is compatible with Windows NT 4.0 and Windows 2000. This article provides examples of how you can use the Cusrmgr.exe tool. 

How to Use Netdom.exe to Reset Machine Account Passwords
Microsoft Knowledge Base Article: 260575 - Each Windows 2000-based computer maintains a machine account password history containing the current and previous passwords used for the account. When two computers attempt to authenticate with each other and a change to the current password 

How Windows NT Handles Incorrect User/Machine Account Passwords
Microsoft Knowledge Base Article: 200900 - If you type an incorrect password when you log on to a computer running Windows NT Workstation 4.0 or later that has a secure channel with a backup domain controller (BDC), the BDC checks the primary domain controller (PDC) before it denies the logon attempt to the workstation. If the PDC has the updated password, the BDC grants the secure channel request with the workstation and then immediately synchronizes with the PDC 

Non Administrator Permissions to Load and Unload Device Drivers
Microsoft Knowledge Base Article: 219435 - This article describes the how to configure Windows 2000 to permit users who do not have administrator or power user permissions to install and uninstall device drivers in Windows 2000. 

Password Synchronization in Windows Services for UNIX
Password Synchronization in Microsoft® Windows® Services for UNIX provides features to synchronize user passwords between Windows and UNIX. This white paper describes the Password Synchronization feature included as part of Services for UNIX version 2.0. Source: Microsoft.com

Patch Available for the Cached Web Credentials Vulnerability
Microsoft Knowledge Base Article: 273868 - Microsoft has released a patch that eliminates a vulnerability that may allow a malicious user to obtain your user ID and password for a Web site. (updated 10/22/2000)

Protecting Passwords in Answer Files
Jerry Honeycutt's series on Windows 2000 deployment continues to examine how answer files can be used as a form of crib sheets to automate the Win2K setup process. In this installment we learn how to answer prompts for passwords without leaving any security holes. Source: EarthWeb (March 2001)

Windows NT/2000 Password Recovery Secrets
You've just been hired as the new sysadmin at a small company. On your first day, you find out the last admin bailed to a big tech services firm and no one knows the administrator passwords to the company's computing systems. To solve our problem, we will use two tools to gain access to the locked systems and then change their passwords. Source: 8Wire.com 

With Encryption Required You Can Still Select PAP, SPAP, or CHAP
Microsoft Knowledge Base Article: 227815 - When you configure a Dial-Up Networking connection to require data encryption, you may be able to select Password Authentication Protocol (PAP), Shiva Password Authentication Protocol (SPAP), or Challenge Handshake Authentication Protocol (CHAP) 

Account Lockout Because BadPasswordCount Not Reset to 0
Microsoft Knowledge Base Article: 263821 - User accounts may get locked out in a mixed environment with Windows 2000-based domains and Microsoft Windows NT 4.0-based domains. 

Administrator Password Set Incorrectly After Unattended Installation
Microsoft Knowledge Base Article: 257442 - When you install Windows 2000 with an unattended Setup script and you specify a default administrator password by using the AdminPassword key in the [GuiUnattended] section of the answer file, the password may not be set as you typed it. 

Bad Password Attempts Are Repeatedly Forwarded from Domain Controllers to the PDC Operations Master 
Microsoft Knowledge Base Article: 272065 - When Netlogon processes an authentication request on a domain controller and the request does not work because there is a "bad" password, the request is repeated on the primary domain controller (PDC) operations master. 

Basic Authentication Allows Validation Using Old Password
Microsoft Knowledge Base Article: 210992 - After you change a user's domain password in User Manager for Domains, the user may be able to gain access to a Web-based program running on Internet Information Server (IIS) version 4.0 using the old password. 

Cannot Change Domain Password By Using RAS in Windows 2000 
Microsoft Knowledge Base Article: 283258 - When you dial into a Windows 2000 RAS server and your domain password has expired, the change password process that is used by RAS may not work, and your client computer may not be able to connect. The problem occurs when the RAS server is a member of a Microsoft Windows NT 4.0 domain or mixed-mode domain

Cannot Connect to Password-Protected Share on Windows 95/98 Computer
Microsoft Knowledge Base Article 239723 - When you try to connect to a share on a computer running Windows 95 or Windows 98 from a Windows NT-based or Windows 2000-based computer that is either in a workgroup or not in the same domain, you may prompted for your user name and password

Cannot Logon After Changing Keyboard Settings
Microsoft Knowledge Base Article: 138354 - You have configured your U.S. version of Windows NT with a foreign language keyboard layout and you have extended characters in your password. After changing your password, you cannot log on.

Cannot Turn Off "User Cannot Change the Password" Option After Windows 2000 Upgrade
Microsoft Knowledge Base Article: 253512 - When you upgrade your Microsoft Windows NT 4.0 domain to Windows 2000 Active Directory and you click to clear the User cannot change the password check box in Active Directory, the user may still be unable to change his or her password. In addition, the Active Directory user interface shows that the check box is cleared, but the user cannot change the password. 

Cannot Use the Set Password Button in Users and Computers
Microsoft Knowledge Base Article: 231809 - You cannot use the Users and Passwords tool in Control Panel to set the password for the currently logged-on user, or for any domain user. 

Changing NetWare Password Prompts User for Fully Qualified User Name
Microsoft Knowledge Base Article: 229037 - When you log on to your Windows 2000-based computer, you may be prompted to change your Windows 2000 and NetWare Directory Services (NDS) passwords, but you may not be able to change your NDS password if you do not enter your fully qualified NDS user name. Also, if you try to change your NDS password after you have logged on to your computer, you may not be prompted to enter your fully qualified NDS user name. 

Changing the Password on a Locked-Out Account Generates a "Domain Not Available" Message
Microsoft Knowledge Base Article: 324141 - If a user tries to change their password on an account that is locked out and has the User must change password at next logon attribute set, the user receives the following error message: The system cannot change your password now because the domain domain_name is not available. This error message is misleading because it does not distinguish between the actual situation (a locked-out account) and true connectivity problems

Clear Text Password May Not Be Recognized
Microsoft Knowledge Base Article: 257292 - When you are using Windows 2000 with clear text passwords, the operation may not succeed. 

Computer Is Locked Error Message When Using Screen Saver Password 
Microsoft Knowledge Base Article: 253166 - When you use a password on the screen saver on a computer running Windows NT 3.51 or 4.0 or Windows 2000, you may receive an error message that states that the computer is locked and you cannot unlock it. 

Correct Password Not Set on Services for NetWare Version 5
Microsoft Knowledge Base Article: 258764 - When you use Microsoft Management Console (MMC) on a computer running File and Print Services for NetWare (FPNW) to configure a user account with the NetWare-compatible logon option enabled, the user may not be able to log on to a server running either Windows 2000 or the NetWare operating system. 

Creating External Trusts May Succeed with Cached Password
Microsoft Knowledge Base Article: 242770 - When you create a trust relationship successfully, delete it, and re-create it with incorrect passwords, the trust may be (mistakenly) successfully re-created. This behavior can occur with down-level and external trusts. 

Custom User Names and Passwords for Dial-Up Connections Lost After Upgrade to Windows 2000
Microsoft Knowledge Base Article: 242532 - After you upgrade to Windows 2000 Professional from Microsoft Windows 95, Microsoft Windows 98, or Microsoft Windows 98 Second Edition, dial-up connections may not connect properly or may report an incorrect user name or password. 

Error 648 "Password Expired" When User Must Change Password
Microsoft Knowledge Base Article: 227730 - When you connect to a Windows 2000 RAS server by using a command-line dialer (such as Rasdial), you may receive the following error message: 

Error "c0000244" When You Attempt to Reset a User Password
Microsoft Knowledge Base Article: 293158 - When a user who does not have privileges to reset another user's password attempts to reset another user's password, the user may receive a "c0000244" stop code on a blue screen. This code indicates that an attempt to log an audit attempt did not succeed. This problem occurs only if the CrashOnAuditFail registry key is enabled and Account Management auditing is enabled 

Error Message Is Displayed When Attempting to Change Password
Microsoft Knowledge Base Article: 273004 - When you attempt to change a user's password you may receive the following error message: 

Err Msg: The Credentials Supplied Conflict with an Existing...
Microsoft Knowledge Base Article: 106211 - Windows NT does not allow you to make multiple connections to a shared network server from the same workstation if you attempt to use more than one set of credentials. If you attempt to make two or more connections to the same server using  

Error Message: Your Password Must Be at Least 18770 Characters and Cannot Repeat Any of Your Previous 30689 Passwords
Microsoft Knowledge Base Article: 276304 - If you log on to an MIT realm, press CTRL+ALT+DELETE, click Change Password, type your existing MIT password, and then type a new, simple password that does not pass the dictionary check in Kadmind, you may receive the following error message: Your password must be at least 18770 characters and cannot repeat any of your previous 30689 passwords. Please type a different password. Type a password that meets these requirements in both text boxes. Note that the number of required characters changes from 17,145 to 18,770 with the installation of SP1 

"Generic Logon" Validating Users on a Domain Fails
Microsoft Knowledge Base Article: 137583 - Windows 95 allows shared network installations. This requires transitioning from a real mode to a protect mode redirector. You are logged onto the network while Windows 95 is in real mode so that the bulk of the Windows 95 can be loaded by the client. This is done without client validation on the domain. Once in protect mode, you are presented with a graphical dialog box and the standard Username, Password, and Domain name fields are available. 

Global Groups Are Not Displayed in User And Password Manager
Microsoft Knowledge Base Article: 234371 - After you add a Domain Global Group to your local computer using the User And Password Manager tool in Control Panel, the Domain Global Group is not displayed the next time you open the User And Password Manager tool. 

Incorrect Behavior in Winlogon for First-Time User with "Must Change Password on First Logon" Setting
Microsoft Knowledge Base Article: 263603 - When a new user logs on to a workstation for the first time in a Windows 2000-based domain, the following symptoms can occur if the Must change password on first logon setting is enabled for that user account 

Kerberos Change Password Does Not Work When Account Password Expires
Microsoft Knowledge Base Article: 253532 - When your password expires, you may be unable to change it using the Kerberos Change Password mechanism. 

Locked-Out Account That Is Reset at a Different DC May Be Locked Out with One Bad Password 
Microsoft Knowledge Base Article: 278299 - When you are using account-lockout policies in a domain with more than one domain controller (DC), if an account was previously locked out and then unlocked by an administrator, the account may be locked out after only one bad password attempt. 

Machine Account Lockout May Cause Problems on Primary Domain Controller
Microsoft Knowledge Base Article 260930 - Machine account logon attempts may not work between Windows 2000-based domain controllers. This behavior can occur if the machine account password is changed by the domain controller and enough unsuccessful attempts are made to log on to that account.

Narrator Reads Password Aloud in Terminal Services Client
Microsoft Knowledge Base Article: 243243 - Microsoft Narrator is a synthesized text-to-speech utility for users who have low vision. When you are using Narrator, keystrokes that you type are read aloud. When you log on to a Terminal Services server in a Terminal Services client session 

Password Expiration Message Is Not Displayed with GPO Logon Script Running in Synchronous Mode
Microsoft Knowledge Base Article: 288234 - If you enable synchronous processing of logon scripts in a Group Policy object (GPO), or even in a Local Computer policy, the "Your password expires in n days" message is not displayed. 

Password Length Appears Changed in Windows 2000 Dial-up Networking Connection Manager 
Microsoft Knowledge Base Article: 262359 - In Microsoft Windows 2000, all dial-up network connections to the Internet show a Password box with 16 asterisks (*). This behavior is a change from Microsoft Windows 9 x , where the number of characters in the previously entered password is the same as the number of asterisks shown in the Password box. This is also a change from Microsoft Windows NT, where the password is not visible after a phone book entry is made. 

Prompted for User Name and Password in Unattended Installation
Microsoft Knowledge Base Article: 224284 - When you run an unattended installation of Windows 2000, you may be prompted to provide a user name and password to join a domain, and this may occur even if the machine account is already created.

Prompt for User Credentials After Specifying Not to Be Prompted
Microsoft Knowledge Base Article: 234333 - After you clear the "Users must enter a user name and password for this computer" check box in the "Users and Passwords" tool in Control Panel, you may still be prompted for a password when you start Windows. 

Protected Storage Always Prompts for Password After Using GhostWalker
Microsoft Knowledge Base Article: 264033 - After you use GhostWalker to deploy Windows NT Workstation, and you change the computer's security ID (SID), you may receive the following prompt every time you log on to a Web site where user information is stored (such as Microsoft Hotmail) 

SMB Session Credentials Are Not Updated After Password Change Resulting in Account Lockout
Microsoft Knowledge Base Article 275508 - If the home drive is mapped and you change your password during the logon process, the account may be locked out when you try to open the home drive after it is disconnected because of a TCP disconnect time-out.

Terminal Services Clients Always Prompted for Password
Microsoft Knowledge Base Article: 247174 - You can use the Terminal Services Client Connection Manager software to specify a user name, password, and domain name that are used whenever a user starts a specific connection. This feature eliminates the need for the user to type his or her credentials at each connection attempt. 

The User's Password Is Not Reset When the User Logs Off
Microsoft Knowledge Base Article: 301381 - When a user changes his or her password, the old password is supplied to third-party Gina files when subsequent users log on. This occurs because the Microsoft Msgina.dll dynamic-link library (DLL - does not reset the old password flag or the old password string when the first user logs off.

TsInternetUser Password Is Changed Daily
Microsoft Knowledge Base Article: 244057 - The following event may be logged daily on a Windows 2000-based server with Terminal Services and auditing for successful account management enabled: 

Users Cannot Log On to the Domain After Password Changes on a Remote Domain Controller Microsoft Knowledge Base Article: 318364 - After you change a user account password on a remote domain controller that holds the primary domain controller (PDC) Flexible Single Master Operation (FSMO) role, the user may not be able to log on to a local domain controller by entering 

Unable to Change Password with User Principal Name When a Global Catalog Server Is Unavailable
Microsoft Knowledge Base Article: 256287 - When you attempt to change your password by using your user principal name (youraccount@yourcompany.com), you may receive one of the following error messages. 

User May Be Able to Change Any User Password on Windows 2000 Server Under Certain Conditions 
Microsoft Knowledge Base Article: 279809 - Active Directory on Windows 2000 Server may allow any user the ability to change another user password under certain conditions. While a "regular" user is using the Active Directory snap-in, the user can choose another user and reset that user's password. 

User May Be Authenticated by Wrong Domain
Microsoft Knowledge Base Article: 227904 - When you log on to a Windows 2000 domain, you may receive either or both of the following error messages: 

"User Must Log On in Order to Change Password" Option No Longer Exists
Microsoft Knowledge Base Article: 255776 - The Group Policy Help file (Gp.chm) states: "User must log on to change password Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy Description: Determines whether users have to log on before they can change their password. By default, this setting is disabled in the Default Domain Group Policy object (GPO) and in the local security policy of workstations and servers. If this policy is enabled, then users have to log on before changing their password. Thus, if a user's password expires, the user will not be able to change the expired password, but must instead have an administrator reset the password." This is a documentation error  

Windows Does Not Require You to Press CTRL+ALT+Delete to Logon
Microsoft Knowledge Base Article: 235308 - After you click to select the Require users to press Ctrl-Alt-Delete before logging on check box on the Advanced tab of the Users and Passwords tool, the computer may start without requiring you to press CTRL+ALT+Delete to log on. 

Wrong Message Appears When the Workstation Is Unlocked with an Invalid Password Microsoft Knowledge Base Article: 286778 - When ForceUnlockLogon is enabled on any Windows 2000 client, the message that you receive when you type the wrong password or when the account is finally locked out is incorrect. When this occurs, you may receive the following message that indicates that the computer has been locked instead of a message that indicates that you typed the wrong password or that the account is locked: This computer is locked. Only DOMAIN\ domain name or an administrator can unlock this computer. The message remains identical even though the user account has been locked out. 

You Receive a Password Expiration Message After You Change Your Password
Microsoft Knowledge Base Article  Q294811 -  When your password is about to expire, you may receive a message during logon that informs you of this and provides you with an opportunity to change the password. When you try to unlock your workstation after you have changes your password