Re: Problem with password expirations
From: Jimmy Harper [MSFT] (jimmyh_at_microsoft.com)
Date: 06/21/04
- Next message: Matt Vaughan: "Power Management Config in GPO?"
- Previous message: Jimmy Harper [MSFT]: "Re: replace win2k server message says dc for group policy not avai sel"
- In reply to: Brian: "Problem with password expirations"
- Next in thread: anonymous_at_discussions.microsoft.com: "Re: Problem with password expirations"
- Reply: anonymous_at_discussions.microsoft.com: "Re: Problem with password expirations"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 21 Jun 2004 13:24:12 -0500
The first thing I would do here is:
1. Find out which DC authenticated the user when they got the expiry
warning ("set l" at a cmd prompt).
2. Check the pwdlastset attribute for the user on that DC and make sure it
matches the other DCs (verify changes are being properly replicated to this
DC).
-- Jimmy Harper [MSFT] Directory Services This posting is provided "AS IS" with no warranties, and confers no rights "Brian" <anonymous@discussions.microsoft.com> wrote in message news:1e20901c45551$b3ad0870$a301280a@phx.gbl... > Hello, > > We've been having a problem here lately with password > expirations. The machines having problems are Windows 2000 > clients; the domain is served by Windows 2003 Servers. The > default domain policy specifies: > > Enforce password history: 7 passwords remembered > Maximum password age: 30 days > Minimum password age: 1 days > Minimum password length: 9 characters > Password must meet complexity requirements: Enabled > Store passwords using reversible encryption: Disabled > Interactive logon: Prompt user to change password before > expiration: 4 days > > > There are no other domain policies in place and so all the > users are affected by the above default policy. > > The problem is, sometimes, users are prompted at incorrect > times that their password will soon expire and that they > should change it. For one user, they changed their > password last week, yet since that time they have been > prompted 3 or 4 times when they log in that their password > will soon expire and do they wish to change it. I had the > user run a query to check their pwdLastSet and compute > when the password should expire to make sure the settings > are being distributed properly and the query returned the > expected results (password must be changed in ~3 weeks, > was changed last week, etc.) > > Has anyone ever seen a problem like this with a 2000 > client? Any suggestions on how to debug this? I'm not > seeing any relevant errors/warnings in either the DCs' > logs or the client's. We have this problem intermittently > with a few users but not everyone. It isn't causing any > big problems, just a constant annoyance for those few. I'm > really not sure if it is a problem with the policy being > applied incorrectly or what. Posting here as I already > posted in general with no response and this is related to > GPs.. > > Any suggestions would be highly appreciated, thank you.
- Next message: Matt Vaughan: "Power Management Config in GPO?"
- Previous message: Jimmy Harper [MSFT]: "Re: replace win2k server message says dc for group policy not avai sel"
- In reply to: Brian: "Problem with password expirations"
- Next in thread: anonymous_at_discussions.microsoft.com: "Re: Problem with password expirations"
- Reply: anonymous_at_discussions.microsoft.com: "Re: Problem with password expirations"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
