RE: Group Policy and password changing
- From: v-natliu@xxxxxxxxxxxxxxxxxxxx ("Nathan Liu [MSFT]")
- Date: Thu, 01 Dec 2005 07:15:49 GMT
Hello Wayne,
Thank you for posting in the SBS newsgroup.
>> 1. Will the users using OWA get a warning about the required password
change?
If we have enabled the Change Password feature with Outlook Web Access, the
users will get a web page to change password when they try to access OWA.
More information:
297121 Using the Change Password feature with Outlook Web Access
http://support.microsoft.com/?id=297121
>> 2. Will the VPN users get a warning about the required password change?
Based on my research, changing the password after a password has expired is
supported with a dial-up or PPTP VPN connection on Windows NT/2000/XP.
829652 You Cannot Log On After You Correctly Change Your Log On Credentials
http://support.microsoft.com/?id=829652
824302 The System Cannot Log You On Now Because the Domain <Domainname
Is Not
http://support.microsoft.com/?id=824302
>> 3. How do you handle the users with a cached profile? Is there a
danger that they can be locked out of their laptops? What is a good way to
handle them?
Cached Credentials are used to allow users to logon locally after the
workstation is disconnected from the network or the DC is not available. By
default, system caches the logon credentials for the past 10 users who
logged on interactively. System provides some protection for the logon
credential cache, but if your environment requires a higher level of
security, you might want to disable the caching completely because someone
could attack it. Keep in mind that the logon cache credentials contain
password hashes of other hashes, which makes this data difficult to crack
or use for an unauthorized logon attempt. To date, no publicly known
exploit of this cache has occurred. To disable credential caching, change
the CachedLogonsCount entry (type REG_DWORD, value 0) in the
HKEY_LOCAL_MACHINE \SOFTWARE Microsoft\Windows NT\CurrentVersion\Winlogon
Registry key. For more information, please refer to the following article:
172931 Cached Logon Information
http://support.microsoft.com/?id=172931
235480 No Notification When You Log On Using Cached Credentials
http://support.microsoft.com/?id=235480
305293 Description of the Windows XP Professional Fast Logon Optimization
http://support.microsoft.com/?id=305293
297278 Authentication May Still Be Required When You Use Cached Credentials
http://support.microsoft.com/?id=297278
Windows XP in a Domain Environment
http://www.microsoft.com/windowsxp/home/evaluation/overviews/xpindomain.asp
>> 4. If I select password never expires for an account will the group
policy override it?
Yes, the password policy is at domain level. The password policy will be
deployed to all the clients in the domain.
>> 5. What about users set up for a POP account?
These users must manually change the old password to new password in the
Outlook POP3 email account profile.
Additionally, please also enable the password expiration notification time.
To change this setting, you may change the number in "Interactive logon:
Prompt user to change password before expiration" policy located below:
Computer Configuration\Windows Settings\Security Settings\Local
Policies\Security Options\
Best regards,
Nathan Liu (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
>Thread-Topic: Group Policy and password changing
>thread-index: AcX1/k1nPg7bmNFcTFCy2H/VkWepUw==
>X-WBNR-Posting-Host: 168.103.198.211
>From: "=?Utf-8?B?V2F5bmU=?=" <Wayne@xxxxxxxxxxxxxxxxxxxxxxxxx>
>Subject: Group Policy and password changing
>Date: Wed, 30 Nov 2005 14:35:02 -0800
>Lines: 19
>Message-ID: <287D1E90-986B-447B-80D3-1836D49D3AF1@xxxxxxxxxxxxx>
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="Utf-8"
>Content-Transfer-Encoding: 7bit
>X-Newsreader: Microsoft CDO for Windows 2000
>Content-Class: urn:content-classes:message
>Importance: normal
>Priority: normal
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>Newsgroups: microsoft.public.windows.server.sbs
>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl
>Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.sbs:226802
>X-Tomcat-NG: microsoft.public.windows.server.sbs
>
>Hi,
>I am getting ready to establish the password policy on a 2003 box. I have
a
>few concerns. I have about 12 users that are in other countries and only
>return to the office a few times a year. I have added the settings for
>changing passwords in the IIS/OWA page. Some of the users only use OWA,
some
>use the MS VPN and regular exchange/outlook. I am not sure how many are
>logging onto their laptops using a domain cached profile and who is
logging
>into a local profile. My concerns are these:
>1. Will the users using OWA get a warning about the required password
change?
>2. Will the VPN users get a warning about the required password change?
>3. How do you handle the users with a cached profile? Is there a danger
>that they can be locked out of their laptops? What is a good way to
handle
>them?
>4. If I select password never expires for an account will the group
policy
>override it?
>5. What about users set up for a POP account?
>Thanks - Wayne
>
>
>
.
- Follow-Ups:
- RE: Group Policy and password changing
- From: Wayne
- RE: Group Policy and password changing
- Prev by Date: Re: change SBS 2003 wondows domain name
- Next by Date: RE: 2003 disc configuration
- Previous by thread: RE: SBS 2003 and Linksys BEFVP41
- Next by thread: RE: Group Policy and password changing
- Index(es):
Relevant Pages
|
