RE: Group Policy and password changing

Hi Wayne,

Thank you for your kind update.

>> So will the users NOT get a warning about having to change the password
if they only use VPN?
No, please note if the password has expired, users will directly get
noticed to change the password, however, they will have to log-out and
re-logon back with the new password. Logging off and re-logging on is a
required action for password change scenarios.

For your situation, I recommend the following method:
1. Do not use the cached logon.
Instruct your users to logon using the VPN connection directly. To do so:
1. Logoff your computer.
2. In the logon screen, press "Ctrl+Alt+Del".
3. Click the Options button, and choose "logon through dial-up connection".
4. Type the new user name, password, and click OK.
5. The system will prompt you to select a dial-up connection, you can then
choose the VPN connection.

>> Concerning the notice to users about the password expiration warning is
there a default time set to start with like 10 days or such? Would I
modify this
Yes, we suggest you enable the password expiration notification time, so
the customer will receive the password expiration notification before the
password has expired.

>> So the admin account password will have to be changed also?
Yes, since the password policy is at domain level. The password policy
will be deployed to all the clients in the domain.

I appreciate your time and cooperation. If anything is unclear, please feel
free to let me know. I am looking forward to hearing from you.

Best regards,

Nathan Liu (MSFT)
Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


--------------------
>Thread-Topic: Group Policy and password changing
>thread-index: AcX2koo5E+xa6JoNS72Ze1jJ6e9CAw==
>X-WBNR-Posting-Host: 168.103.198.211
>From: "=?Utf-8?B?V2F5bmU=?=" <Wayne@xxxxxxxxxxxxxxxxxxxxxxxxx>
>References: <287D1E90-986B-447B-80D3-1836D49D3AF1@xxxxxxxxxxxxx>
<biVITck9FHA.1240@xxxxxxxxxxxxxxxxxxxxx>
>Subject: RE: Group Policy and password changing
>Date: Thu, 1 Dec 2005 08:16:09 -0800
>Lines: 190
>Message-ID: <4B2D533D-EE20-4712-87DA-AB552CB11D24@xxxxxxxxxxxxx>
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="Utf-8"
>Content-Transfer-Encoding: 7bit
>X-Newsreader: Microsoft CDO for Windows 2000
>Content-Class: urn:content-classes:message
>Importance: normal
>Priority: normal
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>Newsgroups: microsoft.public.windows.server.sbs
>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl
>Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.sbs:227021
>X-Tomcat-NG: microsoft.public.windows.server.sbs
>
>Thanks for the info. Please clarify the following:
>
>So will the users NOT get a warning about having to change the password if
>they only use VPN?
>
>> >> 2. Will the VPN users get a warning about the required password
change?
>> Based on my research, changing the password after a password has expired
is
>> supported with a dial-up or PPTP VPN connection on Windows NT/2000/XP.
>
>Concerning the notice to users about the password expiration warning is
>there a default time set to start with like 10 days or such? Would I
modify
>this
>
>> Additionally, please also enable the password expiration notification
time.
>>
>> To change this setting, you may change the number in "Interactive logon:
>> Prompt user to change password before expiration" policy located below:
>> Computer Configuration\Windows Settings\Security Settings\Local
>> Policies\Security Options\
>
>
>So the admin account password will have to be changed also?
>
>> >> 4. If I select password never expires for an account will the group
>> policy override it?
>> Yes, the password policy is at domain level. The password policy will
be
>> deployed to all the clients in the domain.
>
>Thanks again, I just want to have all the answers before I throw the
switch
>- Wayne
>
>""Nathan Liu [MSFT]"" wrote:
>
>> Hello Wayne,
>>
>> Thank you for posting in the SBS newsgroup.
>>
>> >> 1. Will the users using OWA get a warning about the required
password
>> change?
>> If we have enabled the Change Password feature with Outlook Web Access,
the
>> users will get a web page to change password when they try to access
OWA.
>>
>> More information:
>> 297121 Using the Change Password feature with Outlook Web Access
>> http://support.microsoft.com/?id=297121
>>
>> >> 2. Will the VPN users get a warning about the required password
change?
>> Based on my research, changing the password after a password has expired
is
>> supported with a dial-up or PPTP VPN connection on Windows NT/2000/XP.
>>
>> 829652 You Cannot Log On After You Correctly Change Your Log On
Credentials
>> http://support.microsoft.com/?id=829652
>>
>> 824302 The System Cannot Log You On Now Because the Domain <Domainname
>> Is Not
>> http://support.microsoft.com/?id=824302
>>
>> >> 3. How do you handle the users with a cached profile? Is there a
>> danger that they can be locked out of their laptops? What is a good way
to
>> handle them?
>>
>> Cached Credentials are used to allow users to logon locally after the
>> workstation is disconnected from the network or the DC is not available.
By
>> default, system caches the logon credentials for the past 10 users who
>> logged on interactively. System provides some protection for the logon
>> credential cache, but if your environment requires a higher level of
>> security, you might want to disable the caching completely because
someone
>> could attack it. Keep in mind that the logon cache credentials contain
>> password hashes of other hashes, which makes this data difficult to
crack
>> or use for an unauthorized logon attempt. To date, no publicly known
>> exploit of this cache has occurred. To disable credential caching,
change
>> the CachedLogonsCount entry (type REG_DWORD, value 0) in the
>> HKEY_LOCAL_MACHINE \SOFTWARE Microsoft\Windows
NT\CurrentVersion\Winlogon
>> Registry key. For more information, please refer to the following
article:
>>
>> 172931 Cached Logon Information
>> http://support.microsoft.com/?id=172931
>>
>> 235480 No Notification When You Log On Using Cached Credentials
>> http://support.microsoft.com/?id=235480
>>
>> 305293 Description of the Windows XP Professional Fast Logon Optimization
>> http://support.microsoft.com/?id=305293
>>
>> 297278 Authentication May Still Be Required When You Use Cached
Credentials
>> http://support.microsoft.com/?id=297278
>>
>> Windows XP in a Domain Environment
>>
http://www.microsoft.com/windowsxp/home/evaluation/overviews/xpindomain.asp
>>
>> >> 4. If I select password never expires for an account will the group
>> policy override it?
>> Yes, the password policy is at domain level. The password policy will
be
>> deployed to all the clients in the domain.
>>
>> >> 5. What about users set up for a POP account?
>> These users must manually change the old password to new password in the
>> Outlook POP3 email account profile.
>>
>> Additionally, please also enable the password expiration notification
time.
>>
>> To change this setting, you may change the number in "Interactive logon:
>> Prompt user to change password before expiration" policy located below:
>> Computer Configuration\Windows Settings\Security Settings\Local
>> Policies\Security Options\
>>
>> Best regards,
>>
>> Nathan Liu (MSFT)
>> Microsoft CSS Online Newsgroup Support
>>
>> Get Secure! - www.microsoft.com/security
>> ======================================================
>> This newsgroup only focuses on SBS technical issues. If you have issues
>> regarding other Microsoft products, you'd better post in the
corresponding
>> newsgroups so that they can be resolved in an efficient and timely
manner.
>> You can locate the newsgroup here:
>> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>>
>> When opening a new thread via the web interface, we recommend you check
the
>> "Notify me of replies" box to receive e-mail notifications when there
are
>> any updates in your thread. When responding to posts via your
newsreader,
>> please "Reply to Group" so that others may learn and benefit from your
>> issue.
>>
>> Microsoft engineers can only focus on one issue per thread. Although we
>> provide other information for your reference, we recommend you post
>> different incidents in different threads to keep the thread clean. In
doing
>> so, it will ensure your issues are resolved in a timely manner.
>>
>> For urgent issues, you may want to contact Microsoft CSS directly.
Please
>> check http://support.microsoft.com for regional support phone numbers.
>>
>> Any input or comments in this thread are highly appreciated.
>> ======================================================
>> This posting is provided "AS IS" with no warranties, and confers no
rights.
>>
>>
>> --------------------
>> >Thread-Topic: Group Policy and password changing
>> >thread-index: AcX1/k1nPg7bmNFcTFCy2H/VkWepUw==
>> >X-WBNR-Posting-Host: 168.103.198.211
>> >From: "=?Utf-8?B?V2F5bmU=?=" <Wayne@xxxxxxxxxxxxxxxxxxxxxxxxx>
>> >Subject: Group Policy and password changing
>> >Date: Wed, 30 Nov 2005 14:35:02 -0800
>> >Lines: 19
>> >Message-ID: <287D1E90-986B-447B-80D3-1836D49D3AF1@xxxxxxxxxxxxx>
>> >MIME-Version: 1.0
>> >Content-Type: text/plain;
>> > charset="Utf-8"
>> >Content-Transfer-Encoding: 7bit
>> >X-Newsreader: Microsoft CDO for Windows 2000
>> >Content-Class: urn:content-classes:message
>> >Importance: normal
>> >Priority: normal
>> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>> >Newsgroups: microsoft.public.windows.server.sbs
>> >NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>> >Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl
>> >Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.sbs:226802
>> >X-Tomcat-NG: microsoft.public.windows.server.sbs
>> >
>> >Hi,
>> >I am getting ready to establish the password policy on a 2003 box. I
have
>> a
>> >few concerns. I have about 12 users that are in other countries and
only
>> >return to the office a few times a year. I have added the settings for
>> >changing passwords in the IIS/OWA page. Some of the users only use
OWA,
>> some
>> >use the MS VPN and regular exchange/outlook. I am not sure how many
are
>> >logging onto their laptops using a domain cached profile and who is
>> logging
>> >into a local profile. My concerns are these:
>> >1. Will the users using OWA get a warning about the required password
>> change?
>> >2. Will the VPN users get a warning about the required password change?
>> >3. How do you handle the users with a cached profile? Is there a
danger
>> >that they can be locked out of their laptops? What is a good way to
>> handle
>> >them?
>> >4. If I select password never expires for an account will the group
>> policy
>> >override it?
>> >5. What about users set up for a POP account?
>> >Thanks - Wayne
>> >
>> >
>> >
>>
>>
>

.