Re: AD pasword policy and laptop
- From: "Bonno Bloksma" <bbloksma@xxxxxxxxx>
- Date: Fri, 13 Feb 2009 17:43:44 +0100
Hi,
User has a laptop which is part of the AD domain. Domain policy states
password change mandatory every 180 days with a notice 14 days before.
This user has a laptop that is often connected to the network but
sometimes not for several weeks when she is "on the road".
It seems either:
1) the 180 days expired during those few weeks and the 180-14 days was
also during those weeks or
2) The Vista laptop has "sleep mode" as the default action when "shutting
down" the laptop and.. reconnecting is not logging in and therefore does
not produce the warning about password expiration
Of course after a while the user can no longer in to the laptop.... when
it is connected to the network at logon time.
She CAN login when the laptop is not connected to the network. ;-)
So for the past few weeks, until she got arround to telling be about this
weird thing she had with her laptop...... she started het laptop with the
network kable disconnected, loggen on, connected to the network and was
able to acces the mail, the website etc.
Of course what she did not do was access anything that needed AD
credentials but.... she rarely needed those.
To solve the problem she needed to change her password but she cannot
change her password because she cannot logon, her password has expired.
:-(
What I did was set the "password never expires" for her, have her log on
and change her password, clear the setting for "password never expires".
Question:
======
Is this in any way solvable in a structured way or will something like
this always involve intervention from an administrator to reset her
password?
Was the cause probably situation 1) or 2)?
Bonno Bloksma
This doesn't make sense. Your password can be expired for years and you
can still logon with the old password. It's just that the first time you
logon after the expiration you must change it or you will be rejected. If
users could not logon after their password expired we would have a huge
mess.
Ok, but what else would block her account and release it after I did the
routine?What I did was set the "password never expires" for her, have her log on
and change her password, clear the setting for "password never expires".
It clearly did not let her in because her password was expired. Was this
caused then by her not changing the password at the first logon after the
expiration?
There seems to be no "grace logins" mechanism like I know from other OSes
like Novell and our own website.
So a user would never be able to log on again after she failed to change her
password the first time it was required?
If that is so maybe she was in a hurry and thought she could change it at
the next logon, like she can do on our website.
Bonno
.
- Follow-Ups:
- Re: AD pasword policy and laptop
- From: Richard Mueller [MVP]
- Re: AD pasword policy and laptop
- References:
- AD pasword policy and laptop
- From: Bonno Bloksma
- Re: AD pasword policy and laptop
- From: Richard Mueller [MVP]
- AD pasword policy and laptop
- Prev by Date: Re: AD pasword policy and laptop
- Next by Date: Re: User Access to a DC
- Previous by thread: Re: AD pasword policy and laptop
- Next by thread: Re: AD pasword policy and laptop
- Index(es):
Relevant Pages
|
Loading
