If you use a password policy in a Windows 2000 domain and you migrated some or all of the users to Active Directory (AD) with the AD Migration tool, users who attempt to change their passwords as soon as they receive the Password Change Notification message might receive the following error message:
You do not have permission to change your password.
However, users who choose not to change their passwords when the Password Change Notification message appears (by clicking No) are logged on with their old passwords and then can change their passwords.
This system behavior occurs when the Everyone group hasn't been granted the Change Password right on the user object. Users can't change their passwords over the null session connection (anonymous logon relies on the Everyone group to carry out this action) established between the workstation and a domain controller. Instead, an authenticated session is required to change a password (i.e., users must be logged on to change their passwords).
To change the permissions setting for the Everyone group, take the following steps:
Start the AD Users and Computers snap-in (Start, Programs, Administrative Tools, Active Directory Users and Computers).
Select the View menu and enable Advanced Features.
Right-click the container hosting the user object to which you want to grant the Change Password right (e.g., Users), then click Properties.
Select the Security tab. Ensure that the Everyone group is listed in the Name box. If it isn't, click Advanced, then add the Everyone group to the list from the Advanced Access Control Settings dialog box. If the Everyone group is listed, click Advanced.
Click the Everyone group in the list, then click View/Edit to edit the group's permissions. In the Apply Onto box, click User Objects. In the Permissions section, select the Allow check box for "Change Password."
Click OK to accept the changes.