Re: AD pasword policy and laptop


"Bonno Bloksma" <bbloksma@xxxxxxxxx> wrote in message
news:4995a7e3$0$188$e4fe514c@xxxxxxxxxxxxxxxxx
Hi,

User has a laptop which is part of the AD domain. Domain policy states
password change mandatory every 180 days with a notice 14 days before.
This user has a laptop that is often connected to the network but
sometimes not for several weeks when she is "on the road".

It seems either:
1) the 180 days expired during those few weeks and the 180-14 days was
also during those weeks or
2) The Vista laptop has "sleep mode" as the default action when
"shutting down" the laptop and.. reconnecting is not logging in and
therefore does not produce the warning about password expiration

Of course after a while the user can no longer in to the laptop.... when
it is connected to the network at logon time.

She CAN login when the laptop is not connected to the network. ;-)
So for the past few weeks, until she got arround to telling be about
this weird thing she had with her laptop...... she started het laptop
with the network kable disconnected, loggen on, connected to the network
and was able to acces the mail, the website etc.

Of course what she did not do was access anything that needed AD
credentials but.... she rarely needed those.
To solve the problem she needed to change her password but she cannot
change her password because she cannot logon, her password has expired.
:-(
What I did was set the "password never expires" for her, have her log on
and change her password, clear the setting for "password never expires".

Question:
======
Is this in any way solvable in a structured way or will something like
this always involve intervention from an administrator to reset her
password?
Was the cause probably situation 1) or 2)?


Bonno Bloksma


This doesn't make sense. Your password can be expired for years and you
can still logon with the old password. It's just that the first time you
logon after the expiration you must change it or you will be rejected. If
users could not logon after their password expired we would have a huge
mess.

Ok, but what else would block her account and release it after I did the
What I did was set the "password never expires" for her, have her log on
and change her password, clear the setting for "password never expires".
routine?

It clearly did not let her in because her password was expired. Was this
caused then by her not changing the password at the first logon after the
expiration?
There seems to be no "grace logins" mechanism like I know from other OSes
like Novell and our own website.
So a user would never be able to log on again after she failed to change
her password the first time it was required?
If that is so maybe she was in a hurry and thought she could change it at
the next logon, like she can do on our website.

Bonno


When the password is expired, the user cannot logon until they supply the
old password, then provide a new password. If they make too many attempts
with the old password, the account could be locked out. If your account
lockout duration is forever, then they cannot get in until you unlock the
account, but if the lockout duration is 30 minutes, they can try again after
30 minutes. I don't know what is happening in your case.

You can try this with any account by expiring the password immediately. In
ADUC on the Account tab check "User must change password at next logon".
This immediately expires the password. When the user next attempts to logon
(no matter when that is) they must supply the old password. Then they will
be required to supply a new password.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--


.

Relevant Pages

  • Re: AD pasword policy and laptop
    ... down" the laptop and.. ... it is connected to the network at logon time. ... change her password because she cannot logon, ... What I did was set the "password never expires" for her, ...
    (microsoft.public.win2000.active_directory)
  • Re: task bar feezes on logon for about 15 mins then comes good,
    ... laptop, unplug it from the network, walk across the office, ... unplug the desktop from the network, use the cable from the desktop to plug ... different when the second user is Amy as opposed to the second user being ... If we logon to the laptop, after about the 3rd time it's logged the task bar ...
    (microsoft.public.windowsxp.perform_maintain)
  • Re: sharing a usb printer
    ... Sure there is, logon to the desktop. ... folder, choose properties. ... Select the network printer option, then use browse to select your ... > I also have a wireless network setup and want my laptop to be able to ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Cant ping both computers
    ... >trying to network my old laptop running Windows ME using a purchased ... >I run the network set-up wizard on the desktop with XP and then on the ... >Is there something with the way I logon. ... network hub or switch and two regular Ethernet cables? ...
    (microsoft.public.windowsxp.network_web)
  • Re: AD pasword policy and laptop
    ... User has a laptop which is part of the AD domain. ... it is connected to the network at logon time. ... change her password because she cannot logon, ... What I did was set the "password never expires" for her, ...
    (microsoft.public.win2000.active_directory)
Loading