Error: Change password failed — Unable to change password. May be you are not authorized to perform this action. Contact administrator
Issue description
When a user attempts to change their Active Directory password through the ADSelfService Plus portal, the action fails with the following error message:
Change password failed — Unable to change password. May be you are not authorized to perform this action. Contact administrator
Possible causes
- Incorrect login format in multi-domain setups: Users are not logging in using the required domainname\username format, leading to domain resolution issues.
- Firewall restrictions: Dynamic RPC ports required for communication between the ADSelfService Plus server and the domain controllers are not open.
- DMZ deployment issues: The ADSelfService Plus server is hosted in a demilitarized zone (DMZ), where communication with internal AD domain controllers is restricted. (This deployment is not recommended.)
Resolution
Step 1: Verify user login format in multi-domain setups
This is the quickest check and a common issue in environments with multiple domains. If multiple domains are configured in ADSelfService Plus and the domain drop-down is hidden, users must log in using domainname\username. This ensures ADSelfService Plus directs the password change to the correct domain controller.
Step 2: Check firewall port configuration
For password changes to succeed, Active Directory requires specific ports to be open for RPC communication between the ADSelfService Plus server and your domain controllers.
1. Ensure required ports are open:
Verify that your firewall allows bidirectional traffic on the following ports:
Protocol | Port(s) | Description |
TCP | 135 | RPC Endpoint Mapper |
TCP | 49152–65535 | RPC Dynamic Port range (for Windows Server 2008 and later) |
2. Identify dynamic ports required by a specific domain controller (Using PortQry)
You can identify which dynamic ports a specific domain controller is listening on by using the PortQry tool.
- Open Command Prompt as an administrator.
- Run the following command:
portqry.exe -n <DomainControllerName> -e 135 -p TCP
- Look for the output showing the UUID to TCP port mappings. These mappings identify the dynamic RPC ports in use by that domain controller.
- Ensure these specific ports are allowed through the firewall between the ADSelfService Plus server and the domain controller.
Step 3: Address DMZ installation issues
Placing the ADSelfService Plus server in a demilitarized zone (DMZ) is not a recommended configuration as it can severely restrict the necessary communication with internal domain controllers.
Recommended solution: Move the ADSelfService Plus server from the DMZ to your internal network where it has direct and unrestricted access to the domain controllers.
Alternative: If moving the server is not possible, you must ensure that all required Active Directory ports including the RPC range in Step 2 are explicitly opened in the firewall between the DMZ and your internal network.
Step 4: Contact ADSelfService Plus support for further assistance
If you have performed all the steps above and the issue persists, there may be a specific environmental or database configuration issue. Please contact the ADSelfService Plus support team for advanced troubleshooting.
How to reach support
New to ADSelfService Plus?
Related Articles
Error: Permission denied. Please contact your administrator
Issue description Users may encounter the error message "Permission denied. Please contact your administrator" when attempting to: Log in to the ADSelfService Plus portal for enrollment. Perform a password reset or account unlock. This error prevents ...Error: Your password has expired. Please contact your administrator
Issue description Users encounter the error message "Your password has expired. Please contact your administrator" when trying to log in to ADSelfService Plus with an incorrect password while their Active Directory (AD) password has already expired. ...Error: Unable to log you in because your account is locked. Please contact your administrator
Issue description Users encounter the error message "Unable to log you in because your account is locked. Please contact your administrator" when trying to log in to ADSelfService Plus. This error occurs when a user tries to log in with a locked-out ...Error: The service account configured for this application has expired. Please contact your administrator
Issue description Users encounter the error message "The service account configured for this application has expired. Please contact your administrator" on the login screen when trying to access ADSelfService Plus. This affects: All users trying to ...Error: Your account has been disabled. Please contact your administrator
Issue description Users encounter the error message "Your account has been disabled. Please see your system administrator" when logging in to ADSelfService Plus. Possible causes The user account might have been disabled manually in Active Directory ...