Not sure what you mean - but let me show what I've tried: The DMZ forest is dmz.example.com, while production is example.com (don't yell, I didn't set up the DMZ forest). I press ALT+CTRL+DEL on my machine in the production forest, and select "Change a password" (I'm running Win8.1), then type in the ID and old password and new password in the relevant fields.
For the ID, I've tried [email protected], [email protected], dmz.example.com\kurt-dmz and dmz.example\kurt-dmz, and get the same error message in all cases. I've also tried using the name of the DC - [email protected] - and get the same error message. Kurt On Thu, Feb 18, 2016 at 7:53 AM, Miller Bonnie L. <[email protected]> wrote: > Do you get the same results with netbios vs UPN logon? > > -Bonnie > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Kurt Buff > Sent: Wednesday, February 17, 2016 1:41 PM > To: ntsysadm <[email protected]> > Subject: [NTSysADM] My ignorance is showing again... > > We have two separate, untrusted forests - DMZ and production. > > Production is at DFL/FFL 2008. > DMZ is at DFL/FFL 2012R2 > > I changed a password for an account in the DMZ forest, setting it to require > change at next logon. > > User cannot RDP from machine in production forest to machine in DMZ forest > because the password must be changed first. > > User cannot change password on machine in production forest for account in > DMZ forest using ALT+CTRL+DEL, because he's getting the > message: > > "configuration information could not be read from the domain controller, > either because the machine is unavailable, or access has been denied." > > I know I can unset the requirement to change the password at next logon, but > that seems silly, because then I can't enforce having him change it without > standing over his shoulder while he does it. > > How the heck can I do this? I've tried with my own user accounts, and have > confirmed the problem. > > Kurt > >
