# Solved: Password has expired, access denied



## ktech

New Dell OptiPlex 7010 running Windows 7 Pro 64-bit, originally setup in one office on a domain then moved to another location out of state 2 months ago, is suddenly giving "Your password has expired and must be changed" when it boots up, with no other options available, not even to switch user or shut down. The user account that has always used this computer has never had password expiration turned on in AD so not sure how it would have suddenly gotten that idea into its policy. If I attempt to go ahead and change the password it gives an access denied error because obviously it can't connect to the DC due to being offsite: "Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied."

The only way I can work on this machine is via Logmein so in the morning I'm going to walk the user through booting into Safe Mode to see if they can login as the local Administrator account and if successful have them make sure the security policy is set to password never expires.

In the meantime, would any of you have any other ideas? Much thanks in advance.


----------



## DaveA

If it were me and it is not being used to connect to a Domain network, I would rebuild it back to Factory settings.

If it is to be connected to a Domain network, then it needs to be rebuild for the new domain.


----------



## managed

Not sure if this applies in your situation but should be easier if it does :-

http://gillesperon.blogspot.co.uk/2011/02/tips-manage-your-server-expiration.html


----------



## ktech

managed said:


> Not sure if this applies in your situation but should be easier if it does :-
> 
> http://gillesperon.blogspot.co.uk/2011/02/tips-manage-your-server-expiration.html


Thanks for the article. Unfortunately we can't get it to a command prompt or anywhere other than the "change password" screen to perform this. I had the user boot to all 3 Safe Modes to see if I could get it to login as any user other than the one in question but it always immediately goes to the change password screen for that user. I just told them to ship it back to me to fix. They are extremely computer illiterate so walking them through a Windows install disc over the phone would be a disaster. Very curious as to how it was setup here on the domain, which would have set all the policies, but then at its current location mysteriously changed the password expires policy on its own.


----------



## ktech

I now have the PC back in my office and wired to the domain that it was set up on but it still will not let me change the password or login any other user. When I attempt to change the password it still gives me the "Configuration information could not be read..." error mentioned earlier. The domain controller is most certainly available. And why the complete lock out? It should have never had a password expiration to begin with since AD has always been set to password never expires, but aside from that I don't get why it's insisting that this user change their password and nothing else can occur on this PC until that happens. Other than a user accidentally or intentionally tampering with policy settings on the PC, what else may have caused this? Currently doing a System Restore but I doubt that will resolve this issue.


----------



## ktech

Hmph. System Restore even errored out, unspecified error 0x8000ffff. Nice. Microsoft has a hotfix for that...if only I could login.... 


Time to back up files and do a reinstall.


----------



## managed

Well I reckon you did everything you could. We may never know why it happened.


----------



## DaveA

Time to dig out the DVD and do a clean rebuild!


----------



## Golden_

I see, some passwords can be set to expire at a certain point. However when this happens, usually they can reset it. I suggest what most are suggesting and do a factory reset. Then afterwards make sure the password expire is not enabled and you should be good to go.


----------



## dvk01

That is almost certainly being caused by a flat MOBO battery and the bios time/date is so different to the windows time/date 

You might be able to cure it by changing mobo battery & setting time & date on bios.
It might need the time & date set to a date before the problem started in the bios to allow you to log on using the proper password and then change the users password expiry details 

There appears to be an unspecified bug in some versions of windows when using a domain controller that resets the default wrongly to "expire password" when a bios battery loses power so it cannot read the configuration details


----------



## ktech

dvk01 said:


> That is almost certainly being caused by a flat MOBO battery and the bios time/date is so different to the windows time/date
> 
> You might be able to cure it by changing mobo battery & setting time & date on bios.
> It might need the time & date set to a date before the problem started in the bios to allow you to log on using the proper password and then change the users password expiry details
> 
> There appears to be an unspecified bug in some versions of windows when using a domain controller that resets the default wrongly to "expire password" when a bios battery loses power so it cannot read the configuration details


Thanks dvk01. The battery was fine but setting the BIOS date back to before the password change request did the trick. Come to find out the cause of this scenario was a combination of things. For one, the user removed the domain and put on workgroup which caused it to default to a 42 day password change requirement. For two, the system also runs a security camera DVR software which requires the computer to auto login the user. This is why it wouldn't allow me to switch to another user because it was automatically trying to login as the one user account. I set the password change days to 0 in local security policy, set the time back to normal and all is well.


----------



## dvk01

glad we could point you in the right direction


----------



## managed

I found out about that 42 days default thing when a Digital Picture Frame I made that's running BartPE suddenly (well, 42 days after setting it going actually) wanted a new password.

I'd like to think they used 42 days in honour of Douglas Adams but that's something we may _really_ never know !

Glad you got it sorted though.


----------

