Re: How to force PW policies to non domain clients

Tech-Archive recommends: Fix windows errors by optimizing your registry

I've had that double post thing, and I already drink : -)

Juha, as Gregg says, they're already domain users if they have e-mail accounts. But if you meant "remote users" in #2 rather than "non-domain" users, your plan looks perfect to me.


"Gregg Hill" <greggmhill at please do not spam me at yahoo dot com> wrote in message news:uO8DO7iGJHA.3576@xxxxxxxxxxxxxxxxxxxxxxx
Well, that was strange. My response hung in my Outbox from OE, then went twice.

I need to start drinking.

Gregg Hill



"Gregg Hill" <greggmhill at please do not spam me at yahoo dot com> wrote in message news:O$M4$uiGJHA.3928@xxxxxxxxxxxxxxxxxxxxxxx
Hello!

If anyone is authenticating to the SBS for email, they have to be domain
users with domain user accounts and CALs (user or device). Their physical
location has nothing to do with domain "user" accounts. A user's computer
does not need to be joined to the domain in order to use Outlook via RPC
over HTTP for access to their Exchange mail accounts.

Setting up a secure password policy will affect all domain user accounts,
regardless of location. It does not matter whether or not the remote
computer is on the domain...just logging into Outlook using RPC over HTTP
will require them to enter the strong password, or they won't get connected
to the Exchange server for email.

As Cliff noted, the remote users cannot change their own passwords as they
can (if allowed) when on the LAN.

When you stated, "The main application for them is RDP over HTTP Outlook," I
believe you meant "RPC over HTTP" and not RDP. If that is the case, then all
you need is steps 1 and 3.

Gregg Hill



"Juha" <Juha@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4F65731C-6D49-49C5-BB0E-F384D756BC3D@xxxxxxxxxxxxxxxx
Thanks Cliff and Dave!

So i need to do this:

1. Force strong pw policy to domain
2. Manually set secure pw to non-domain users
3. Call by the phone to them and tell the new pw.

Is this near best practise?

Juha

"Cliff Galiher" wrote:

Yeah, I realized I wasn't clear in my response. Of course the policy
will
apply, but what I meant in my reply is that since the machine is not
domain
joined, you cannot change the user's domain password when using outlook.
To
my knowledge, outlook does not have an interface for changing a password
if
it fails to meet the minimum new requirements. It will simply fail to
connect. Obviously less than ideal.

That has been my experience, but it has honestly been a few years since
I've
had a scenario where domain users were in a situation where they were
never
on the domain thus triggering an appropriate password change...so my
experience may be outdated. :)

-Cliff


"Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:ufOTtPcGJHA.3576@xxxxxxxxxxxxxxxxxxxxxxx
> Agreed, but the users still have to use domain accounts to log in to
> RWW
> or to use Outlook RPC/HTTPS. Password policies would apply to those
> domain accounts regardless of whether the remote PC is domain-joined > or
> not. So while they can log into the remote PCs with a weak password,
> or
> even no password, the remote session will use a domain password that
> will
> be required to meet the policy.
>
>
> "Cliff Galiher" <cgaliher@xxxxxxxxx> wrote in message
> news:mYKdnTB3He1JP0_VnZ2dnUVZ_rDinZ2d@xxxxxxxxxxxxxx
>> Sounds like a broken setup to me. They would be required to change
>> when
>> they RDP, but NOT when they use outlook.
>>
>> With that said, to properly enforce security, even remote machines
>> should
>> be members of the domain (hence my broken setup comment.) Deploy
>> member
>> servers as necessary, but you can't have non-domain machines and
>> expect
>> rigid security. That's the trade-off.
>>
>> -Cliff
>>
>>
>> "Juha" <Juha@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:A5DE2B51-3724-4592-906E-2B5BF534D7B8@xxxxxxxxxxxxxxxx
>>> Hi
>>>
>>> My customer wants to implemet strong pw policy. I wonder will there
>>> be
>>> problems since there are plenty of offsore workers whose PCs aren't
>>> never
>>> joined to domain. The main application for them is RDP over HTTP
>>> Outlook.
>>>
>>> If I just change the pw policy will they have an opportunity to
>>> change
>>> the
>>> pw by them self (while logging in to Outlook) or should this be >>> done
>>> in
>>> another way? Which/how?
>>>
>>> Again, thanks in advantage. My new biggest customer is pushing me
>>> alot.
>>>
>>> Juha
>>
>







.

Relevant Pages

  • Re: Thanks to all - todays the day!!!
    ... I have 6 remote users, who do not authenticate against any domain, ... have the Exchange agent built in to their SBS product. ... back in Sunday afternoon to start setting up the Outlook exchange accounts ... POP3 accounts active for all users for a week or so until we are sure ...
    (microsoft.public.windows.server.sbs)
  • Re: Unattended setup of email accounts (no Exchange Server)
    ... Should have mentioned I'm using Outlook 2002 and Windows XP ... up an unattended setup of email accounts on a remote ... I have to wait until both the remote users and I are ... (or the first time they use Outlook), that would simplify things a bit. ...
    (microsoft.public.outlook)
  • Re: Problem with multiple access to one exchange email account
    ... The emails are hosted on the SBS exchange server using SMTP protocal. ... The users' Outlook accounts are connected by selecting exchange server ...
    (microsoft.public.windows.server.sbs)
  • Re: Problem with multiple access to one exchange email account
    ... The emails are hosted on the SBS exchange server using SMTP protocal. ... The users' Outlook accounts are connected by selecting exchange server ...
    (microsoft.public.windows.server.sbs)
  • Re: "The specified Account was not found. It might have been deleted."
    ... The reorder and failed send/receive occurred prior to the IE7 installation. ... IE7 prevented Outlook from launching. ... Milly Staples [MVP - Outlook] ... Also, with this many accounts, what is the ...
    (microsoft.public.outlook)