"Unable to change password on this account (C00000BE)" error message when you try to change a password (833373)


The information in this article applies to:

  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, 64-Bit Enterprise Edition
  • Microsoft Windows Server 2003, 64-Bit Datacenter Edition

SYMPTOMS

When you try to perform operations that must use a samr named pipe, the client may receive an error message that is similar to the following error message:
Unable to change password on this account (C00000BE)


A network trace may return the following information: 0xC000009A = STATUS_INSUFFICIENT_RESOURCES

CAUSE

Microsoft Windows Server 2003 supports 1024 sessions to pipe\samr that use different security contexts. If the limit is reached, a Windows Server 2003 domain controller returns the "STATUS_INSUFFICIENT_RESOURCES" error message. Typically, a pipe connection is closed very quickly after it is used. The symptom that is described in this article may only occur if clients leak to pipe and do not send a close request to the domain controller.

Microsoft Windows NT 4.0 and Windows 2000 domain controllers have the same problem when the pipe\samr limit of 2048 is reached.

The issue described in this article has been reported with Windows NT client computers that have had the following Microsoft security update installed:

828035 MS03-043: Buffer Overrun in Messenger Service Could Allow Code Execution

RESOLUTION

You may be able to resolve this issue by installing the update described in the Microsoft Knowledge Base article Q831579.

Note: This fix applies to computers that experience this issue with the Security Update MS03-043 described earlier in this article.

For additional information about how to obtain and install an update to resolve this issue, click the following article number to view the article in the Microsoft Knowledge Base:

831579 Windows NT 4.0 Client Computers Have Multiple Network-Related Problems After You Install the KB828035 Security Update

WORKAROUND

To work around this issue, you may use the following script to create a snapshot of currently opened files, extract all pipe\samr related connections and then close them. To do this, copy the following code to a script file. For example, copy the following code to the Del_samr.cmd file: 
net files ID_of_leaked_pipe /close
where the pipe ID is retrieved from 
find /i "pipe\samr" net_files_output.txt
For example: 
net files >all_pipes.txt
find /i "\pipe\samr" all_pipes.txt >samr_pipes.txt
@for /f %%a in (samr_pipes.txt) do @net file %%a /close

MORE INFORMATION

SAM context handle limits

The Windows security account manager (SAM) server component is a remote procedure call (RPC) server that is based on context handles. Every client creates a stateful connection to the SAM while the client requests a sequence of services from the SAM server. To help protect the server from memory exhaustion, SAM enforces limits on the number of concurrent open handles. This limit on the number of concurrent open handles is similar to the limits that TCP can have on the total number of connections.

The limit for Windows NT 4.0 and Windows 2000

In Windows NT 4.0 and Windows 2000, there is a maximum of 2048 handles. This limit holds regardless of the security identity of the client or network addresses. The clients and the network addresses may be local or remote. If you know what kind of handle was leaked, it may be easier to find the offender.

The limit for Windows Server 2003

Windows Server 2003 tracks context handles on the Security Identifier (SID) of the caller. (The SID of the caller is the result of the RpcImpersonateClient function). You can have 1024 total number of individual clients, and each client can have 2048 active handles at the same time. There is no count of the total number of contexts.

Note The 838184 hotifx for Microsoft Windows Server 2003 raised the total number of indivudual clients from 1024 to 2048. For additional information about how to obtain this hotfix, click the following article number to view the article in the Microsoft Knowledge Base:

838184 Error messages occur when you modify objects in Active Directory in Windows Server 2003

Troubleshooting

The SAM RPC connection uses the "named pipe" transport. Therefore, you can use the net sess and the net files commands to track connections. The following examples show sample output that was obtained from a domain controller by using these: 
C:\>net files 

ID         Path                         User name            # Locks 

----------------------------------------------------------------------- 
8          \PIPE\samr                   ADMINISTRATOR         0 
10         \PIPE\samr                   ADMINISTRATOR         0 
The command completed successfully. 


C:\>net sess 

Computer         User name            Client Type       Opens Idle time 

----------------------------------------------------------------------- 
\\172.26.221.19  ADMINISTRATOR        Windows 2002 2600     2 00:00:00 

The command completed successfully.
These examples demonstrate that "Administrator" has two separate RPC context handles open at the same time. This information is helpful for the following reasons:
  • You can run down the SAM RPC context by closing the \pipe\samr files. To do so, you can use the net files 8 /close command.
  • The output shows the security context of users who have open handles. This example shows the client computer. However, it is not always easy to match the file ID to a computer. By design, Windows does not give this information to programs.
Note When the connection anonymous (also known as a null session), the user name field is blank for both commands.
Modification Type:MinorLast Reviewed:2/15/2005
Keywords:kbbug KB833373
©2004 Microsoft Corporation. All rights reserved.