Re: Password expires for no apparent reason

I am having the same problem with my user passwords. The domain policy is
'not configured' for minimum and maximum password age. Also, 'password never
expires' is set for each user.

Any other ideas?

Thanks!

"Brian Delaney [MSFT]" wrote:

Hi,

Nice to hear from you again Harj. MS has been a great experience, great to
be back in the field. Hope SpecOps is going well with you.

Steve, the minimum password age is there to prevent users from blowing
through the password history in a single day. Lets say you have a password
history of 12 so that users cannot use a previous password until the 13th
password change. Minimum password age is there to prevent the user from
changing their password 13 times in a single day. The must wait 1 day
between each change in your configuration.

As Harj said Account lockouts could potentially be a problem as perhaps the
users password has not expired but they are locked out after a few
unsuccessful attempts.

What I would recommend is the next time this problem happens check the
useraccountcontrol attribute of the user account before resetting the
password. This can be checked with adsiedit.msc or ldp.exe The
useraccountcontrol is a flag that tells the database the status of the
account. Based on this flag we can see if in fact the account password has
expired, the account is locked out or if the account is normal. See
http://support.microsoft.com/kb/305144/ for more information on
useraccountcontrol.

Also, it would be nice if we could try to log the user in at a workstation
when the problem occurs so that we can see what error message windows gives
us trying to log the user on.

Hope this helps,

Brian Delaney
Microsoft Canada
--

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
From: "Harj" <cisqokid@xxxxxxxxx>
Newsgroups: microsoft.public.windows.server.active_directory
Subject: Re: Password expires for no apparent reason
Date: 16 Aug 2006 07:29:54 -0700
Organization: http://groups.google.com

Hi,

Nice to hear from you Mr. Brian Delaney long time no chat. Hope MS is
treating you well.

Steve, this is from your output and you state you have no lockout
policy..


Lockout threshold: 5
Lockout duration (minutes): 30
Lockout observation window (minutes): 30

You say that the admins have to reset the password, but is that because
it is expired or because it is locked out? When your password expires
end users are required to reset their password to meet the requirements
within your Default Domain Policy.
You have to reset a password as an admin if the password is forgotten,
lost, account is locked out.
When an admin reset's the password, do they also have to unlock the
account?

Good luck

Harj Singh
Password Policy done right
www.specopssoft.com


stever wrote:
Yes, we understand about the 120 days, but we've got passwords apparently
expiring after 30, 45, 57 days.

But, now that I think about it, there's a min and max password age. Does
that mean a password can expire at any time within that range? I.e.
should
min & max be the same (120 days) for a password to expire at 120 days?

"Brian Delaney [MSFT]" wrote:

Hi Steve,

Based on the net accounts output you posted from a DC it appears that
there
is a password policy in place which will cause the passwords to expire:
Maximum password age (days): 120

Check the Group Policies, particularly the Default Domain Policy, that
you
have linked at the Domain Level in Active Directory.
Max Password Age is set under:
Computer Configuration\Windows Settings\Account Policies\Password
Policy\Maximum password age

If you wish for passwords to never expire this will need to be
configured
as 0.

Hope this helps,

Brian Delaney
Microsoft Canada
--

This posting is provided "AS IS" with no warranties, and confers no
rights.
--------------------
Thread-Topic: Password expires for no apparent reason
thread-index: AcbAipJe2cjPQQrhTUWC5pqvsGuYhA==
X-WBNR-Posting-Host: 192.188.254.2
From: =?Utf-8?B?c3RldmVy?= <stever@xxxxxxxxxxxxxxxxxxxxxxxxx>
References: <1D79CFC1-2284-4C48-8D10-4F70BF2F793D@xxxxxxxxxxxxx>
<wF4b3oivGHA.1992@xxxxxxxxxxxxxxxxxxxxx>
Subject: RE: Password expires for no apparent reason
Date: Tue, 15 Aug 2006 09:48:02 -0700

1) There is no error. User goes to Sharepoint site and gets login
pop-up.

Enters domain/username & password and control goes right back to login
pop-up. No error text.

2) Not likely they're forgetting. This happens to people who have
been on
the portal. I cannot login when I try either.

3) Will have to try logging in directly.

4)
Force user logoff how long after time expires?: Never
Minimum password age (days): 1
Maximum password age (days): 120
Minimum password length: 6
Length of password history maintained: 10
Lockout threshold: 5
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: PRIMARY


Thanks Brian, let me know if you need anything else...

"Brian Delaney [MSFT]" wrote:

Hi Steve,

I just have a few questions I would like you to answer to gain a
better
understanding of the issue.

What is the verbatim error that the users experience when you know
the
users password needs to be reset?
How many users are experiencing this problem? Is it possible that
they
have just forgotten their password?

If you try to log on to a Windows 2000 or XP desktop that is joined
to
the
domain with one of these problem accounts what is the error that you
receive?

Please run "net accounts" from the command line on a domain
controller
and
post the results so we can verify the domain password policy.


Hope this helps,

Brian Delaney
Microsoft Canada
--

This posting is provided "AS IS" with no warranties, and confers no
rights.
--------------------
Thread-Topic: Password expires for no apparent reason
thread-index: Aca9a+qOjnOssMHcTgi9D9mgAfOEyw==
X-WBNR-Posting-Host: 192.188.254.2
From: =?Utf-8?B?c3RldmVy?= <stever@xxxxxxxxxxxxxxxxxxxxxxxxx>
Subject: Password expires for no apparent reason
Date: Fri, 11 Aug 2006 10:31:02 -0700

Our users login to our sharepoint portal and AD does the username
and
password check.

We having the occurance that passwords have to be reset for a
random
group
of users every few weeks.

However, there's no password expiration set, there no account
lockout
if
too
many failed tries, no inactivity lockout, etc.

Any ideas? Thanks










.

Relevant Pages

  • Re: Password expires for no apparent reason
    ... the minimum password age is there to prevent users from blowing ... As Harj said Account lockouts could potentially be a problem as perhaps ... Password expires for no apparent reason ... Nice to hear from you Mr. Brian Delaney long time no chat. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Password expires for no apparent reason
    ... the minimum password age is there to prevent users from blowing ... As Harj said Account lockouts could potentially be a problem as perhaps the ... Password expires for no apparent reason ... Nice to hear from you Mr. Brian Delaney long time no chat. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Password expires for no apparent reason
    ... go to the server and run rsop.msc and check your password policy, ... expires' is set for each user. ... the minimum password age is there to prevent users from blowing ... As Harj said Account lockouts could potentially be a problem as perhaps the ...
    (microsoft.public.windows.server.active_directory)
  • Re: Password expires for no apparent reason
    ... do not know if the policy was set and then cahnged to 'not defined'. ... the minimum password age is there to prevent users from blowing ... As Harj said Account lockouts could potentially be a problem as perhaps ... Password expires for no apparent reason ...
    (microsoft.public.windows.server.active_directory)
  • Re: Password Policy for remote users
    ... Setting the "password never expires" flag will stop the password from ... to enforce multiple policies and assign them to users, groups, and OUs. ... accounts, and this or the highest priority GPO setting account policies ...
    (microsoft.public.security)
Loading