hidden hit counter
Help!

AD pasword policy and laptop

  
  
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> Active Directory RSS
Next:  R4 ds ayuda Nintendo Ds Dsi o Lite  
Author Message
Bonno Bloksma
External


Since: Feb 13, 2009
Posts: 2
PostPosted: Fri Feb 13, 2009 11:10 am    Post subject: AD pasword policy and laptop
Archived from groups: microsoft>public>win2000>active_directory (more info?)
Hi,

If this isn't the right forum please tell which one is.

Situation:
======
User has a laptop which is part of the AD domain. Domain policy states
password change mandatory every 180 days with a notice 14 days before.
This user has a laptop that is often connected to the network but sometimes
not for several weeks when she is "on the road".

It seems either:
1) the 180 days expired during those few weeks and the 180-14 days was also
during those weeks or
2) The Vista laptop has "sleep mode" as the default action when "shutting
down" the laptop and.. reconnecting is not logging in and therefore does not
produce the warning about password expiration

Of course after a while the user can no longer in to the laptop.... when it
is connected to the network at logon time.

She CAN login when the laptop is not connected to the network. Wink
So for the past few weeks, until she got arround to telling be about this
weird thing she had with her laptop...... she started het laptop with the
network kable disconnected, loggen on, connected to the network and was able
to acces the mail, the website etc.

Of course what she did not do was access anything that needed AD credentials
but.... she rarely needed those.
To solve the problem she needed to change her password but she cannot change
her password because she cannot logon, her password has expired. Sad
What I did was set the "password never expires" for her, have her log on and
change her password, clear the setting for "password never expires".

Question:
======
Is this in any way solvable in a structured way or will something like this
always involve intervention from an administrator to reset her password?
Was the cause probably situation 1) or 2)?


Bonno Bloksma
Back to top
Richard Mueller [MVP]
External


Since: Feb 25, 2007
Posts: 33
PostPosted: Fri Feb 13, 2009 11:10 am    Post subject: Re: AD pasword policy and laptop [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
"Bonno Bloksma" <bbloksma.DeleteThis@xs4all.nl> wrote in message
news:49958ee8$0$189$e4fe514c@news.xs4all.nl...
> Hi,
>
> If this isn't the right forum please tell which one is.
>
> Situation:
> ======
> User has a laptop which is part of the AD domain. Domain policy states
> password change mandatory every 180 days with a notice 14 days before.
> This user has a laptop that is often connected to the network but
> sometimes not for several weeks when she is "on the road".
>
> It seems either:
> 1) the 180 days expired during those few weeks and the 180-14 days was
> also during those weeks or
> 2) The Vista laptop has "sleep mode" as the default action when "shutting
> down" the laptop and.. reconnecting is not logging in and therefore does
> not produce the warning about password expiration
>
> Of course after a while the user can no longer in to the laptop.... when
> it is connected to the network at logon time.
>
> She CAN login when the laptop is not connected to the network. Wink
> So for the past few weeks, until she got arround to telling be about this
> weird thing she had with her laptop...... she started het laptop with the
> network kable disconnected, loggen on, connected to the network and was
> able to acces the mail, the website etc.
>
> Of course what she did not do was access anything that needed AD
> credentials but.... she rarely needed those.
> To solve the problem she needed to change her password but she cannot
> change her password because she cannot logon, her password has expired.
> Sad
> What I did was set the "password never expires" for her, have her log on
> and change her password, clear the setting for "password never expires".
>
> Question:
> ======
> Is this in any way solvable in a structured way or will something like
> this always involve intervention from an administrator to reset her
> password?
> Was the cause probably situation 1) or 2)?
>
>
> Bonno Bloksma
>

This doesn't make sense. Your password can be expired for years and you can
still logon with the old password. It's just that the first time you logon
after the expiration you must change it or you will be rejected. If users
could not logon after their password expired we would have a huge mess.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
Back to top
Bonno Bloksma
External


Since: Feb 13, 2009
Posts: 2
PostPosted: Fri Feb 13, 2009 1:10 pm    Post subject: Re: AD pasword policy and laptop [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Hi,

>> User has a laptop which is part of the AD domain. Domain policy states
>> password change mandatory every 180 days with a notice 14 days before.
>> This user has a laptop that is often connected to the network but
>> sometimes not for several weeks when she is "on the road".
>>
>> It seems either:
>> 1) the 180 days expired during those few weeks and the 180-14 days was
>> also during those weeks or
>> 2) The Vista laptop has "sleep mode" as the default action when "shutting
>> down" the laptop and.. reconnecting is not logging in and therefore does
>> not produce the warning about password expiration
>>
>> Of course after a while the user can no longer in to the laptop.... when
>> it is connected to the network at logon time.
>>
>> She CAN login when the laptop is not connected to the network. Wink
>> So for the past few weeks, until she got arround to telling be about this
>> weird thing she had with her laptop...... she started het laptop with the
>> network kable disconnected, loggen on, connected to the network and was
>> able to acces the mail, the website etc.
>>
>> Of course what she did not do was access anything that needed AD
>> credentials but.... she rarely needed those.
>> To solve the problem she needed to change her password but she cannot
>> change her password because she cannot logon, her password has expired.
>> Sad
>> What I did was set the "password never expires" for her, have her log on
>> and change her password, clear the setting for "password never expires".
>>
>> Question:
>> ======
>> Is this in any way solvable in a structured way or will something like
>> this always involve intervention from an administrator to reset her
>> password?
>> Was the cause probably situation 1) or 2)?
>>
>>
>> Bonno Bloksma
>>
>
> This doesn't make sense. Your password can be expired for years and you
> can still logon with the old password. It's just that the first time you
> logon after the expiration you must change it or you will be rejected. If
> users could not logon after their password expired we would have a huge
> mess.

Ok, but what else would block her account and release it after I did the
>> What I did was set the "password never expires" for her, have her log on
>> and change her password, clear the setting for "password never expires".
routine?

It clearly did not let her in because her password was expired. Was this
caused then by her not changing the password at the first logon after the
expiration?
There seems to be no "grace logins" mechanism like I know from other OSes
like Novell and our own website.
So a user would never be able to log on again after she failed to change her
password the first time it was required?
If that is so maybe she was in a hurry and thought she could change it at
the next logon, like she can do on our website.

Bonno
Back to top
Richard Mueller [MVP]
External


Since: Feb 25, 2007
Posts: 33
PostPosted: Fri Feb 13, 2009 2:21 pm    Post subject: Re: AD pasword policy and laptop [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
"Bonno Bloksma" <bbloksma.RemoveThis@xs4all.nl> wrote in message
news:4995a7e3$0$188$e4fe514c@news.xs4all.nl...
> Hi,
>
>>> User has a laptop which is part of the AD domain. Domain policy states
>>> password change mandatory every 180 days with a notice 14 days before.
>>> This user has a laptop that is often connected to the network but
>>> sometimes not for several weeks when she is "on the road".
>>>
>>> It seems either:
>>> 1) the 180 days expired during those few weeks and the 180-14 days was
>>> also during those weeks or
>>> 2) The Vista laptop has "sleep mode" as the default action when
>>> "shutting down" the laptop and.. reconnecting is not logging in and
>>> therefore does not produce the warning about password expiration
>>>
>>> Of course after a while the user can no longer in to the laptop.... when
>>> it is connected to the network at logon time.
>>>
>>> She CAN login when the laptop is not connected to the network. Wink
>>> So for the past few weeks, until she got arround to telling be about
>>> this weird thing she had with her laptop...... she started het laptop
>>> with the network kable disconnected, loggen on, connected to the network
>>> and was able to acces the mail, the website etc.
>>>
>>> Of course what she did not do was access anything that needed AD
>>> credentials but.... she rarely needed those.
>>> To solve the problem she needed to change her password but she cannot
>>> change her password because she cannot logon, her password has expired.
>>> Sad
>>> What I did was set the "password never expires" for her, have her log on
>>> and change her password, clear the setting for "password never expires".
>>>
>>> Question:
>>> ======
>>> Is this in any way solvable in a structured way or will something like
>>> this always involve intervention from an administrator to reset her
>>> password?
>>> Was the cause probably situation 1) or 2)?
>>>
>>>
>>> Bonno Bloksma
>>>
>>
>> This doesn't make sense. Your password can be expired for years and you
>> can still logon with the old password. It's just that the first time you
>> logon after the expiration you must change it or you will be rejected. If
>> users could not logon after their password expired we would have a huge
>> mess.
>
> Ok, but what else would block her account and release it after I did the
>>> What I did was set the "password never expires" for her, have her log on
>>> and change her password, clear the setting for "password never expires".
> routine?
>
> It clearly did not let her in because her password was expired. Was this
> caused then by her not changing the password at the first logon after the
> expiration?
> There seems to be no "grace logins" mechanism like I know from other OSes
> like Novell and our own website.
> So a user would never be able to log on again after she failed to change
> her password the first time it was required?
> If that is so maybe she was in a hurry and thought she could change it at
> the next logon, like she can do on our website.
>
> Bonno
>

When the password is expired, the user cannot logon until they supply the
old password, then provide a new password. If they make too many attempts
with the old password, the account could be locked out. If your account
lockout duration is forever, then they cannot get in until you unlock the
account, but if the lockout duration is 30 minutes, they can try again after
30 minutes. I don't know what is happening in your case.

You can try this with any account by expiring the password immediately. In
ADUC on the Account tab check "User must change password at next logon".
This immediately expires the password. When the user next attempts to logon
(no matter when that is) they must supply the old password. Then they will
be required to supply a new password.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
Back to top
Display posts from previous:   
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> Active Directory All times are: Eastern Time (US & Canada) (change)
Page 1 of 1

 
 You can post new topics in this forum
You can reply to topics in this forum
You can edit your posts in this forum
You can delete your posts in this forum
You can vote in polls in this forum