AD pasword policy and laptop

[Bonno Bloksma]

Hi,

If this isn't the right forum please tell which one is.

Situation:
======
User has a laptop which is part of the AD domain. Domain policy states
password change mandatory every 180 days with a notice 14 days before.
This user has a laptop that is often connected to the network but sometimes
not for several weeks when she is "on the road".

It seems either:
1) the 180 days expired during those few weeks and the 180-14 days was also
during those weeks or
2) The Vista laptop has "sleep mode" as the default action when "shutting
down" the laptop and.. reconnecting is not logging in and therefore does not
produce the warning about password expiration

Of course after a while the user can no longer in to the laptop.... when it
is connected to the network at logon time.

She CAN login when the laptop is not connected to the network. ;-)
So for the past few weeks, until she got arround to telling be about this
weird thing she had with her laptop...... she started het laptop with the
network kable disconnected, loggen on, connected to the network and was able
to acces the mail, the website etc.

Of course what she did not do was access anything that needed AD credentials
but.... she rarely needed those.
To solve the problem she needed to change her password but she cannot change
her password because she cannot logon, her password has expired. :-(
What I did was set the "password never expires" for her, have her log on and
change her password, clear the setting for "password never expires".

Question:
======
Is this in any way solvable in a structured way or will something like this
always involve intervention from an administrator to reset her password?
Was the cause probably situation 1) or 2)?


Bonno Bloksma

 

[Richard Mueller [MVP]]

Hi,

If this isn't the right forum please tell which one is.

Situation:
======
User has a laptop which is part of the AD domain. Domain policy states
password change mandatory every 180 days with a notice 14 days before.
This user has a laptop that is often connected to the network but
sometimes not for several weeks when she is "on the road".

It seems either:
1) the 180 days expired during those few weeks and the 180-14 days was
also during those weeks or
2) The Vista laptop has "sleep mode" as the default action when "shutting
down" the laptop and.. reconnecting is not logging in and therefore does
not produce the warning about password expiration

Of course after a while the user can no longer in to the laptop.... when
it is connected to the network at logon time.

She CAN login when the laptop is not connected to the network. ;-)
So for the past few weeks, until she got arround to telling be about this
weird thing she had with her laptop...... she started het laptop with the
network kable disconnected, loggen on, connected to the network and was
able to acces the mail, the website etc.

Of course what she did not do was access anything that needed AD
credentials but.... she rarely needed those.
To solve the problem she needed to change her password but she cannot
change her password because she cannot logon, her password has expired.
:-(
What I did was set the "password never expires" for her, have her log on
and change her password, clear the setting for "password never expires".

Question:
======
Is this in any way solvable in a structured way or will something like
this always involve intervention from an administrator to reset her
password?
Was the cause probably situation 1) or 2)?


Bonno Bloksma

This doesn't make sense. Your password can be expired for years and you can
still logon with the old password. It's just that the first time you logon
after the expiration you must change it or you will be rejected. If users
could not logon after their password expired we would have a huge mess.

 

[Bonno Bloksma]

Hi,

This doesn't make sense. Your password can be expired for years and you
can still logon with the old password. It's just that the first time you
logon after the expiration you must change it or you will be rejected. If
users could not logon after their password expired we would have a huge
mess.

Ok, but what else would block her account and release it after I did theroutine?

It clearly did not let her in because her password was expired. Was this
caused then by her not changing the password at the first logon after the
expiration?
There seems to be no "grace logins" mechanism like I know from other OSes
like Novell and our own website.
So a user would never be able to log on again after she failed to change her
password the first time it was required?
If that is so maybe she was in a hurry and thought she could change it at
the next logon, like she can do on our website.

Bonno

 

[Richard Mueller [MVP]]

Hi,


Ok, but what else would block her account and release it after I did the
routine?

It clearly did not let her in because her password was expired. Was this
caused then by her not changing the password at the first logon after the
expiration?
There seems to be no "grace logins" mechanism like I know from other OSes
like Novell and our own website.
So a user would never be able to log on again after she failed to change
her password the first time it was required?
If that is so maybe she was in a hurry and thought she could change it at
the next logon, like she can do on our website.

Bonno

When the password is expired, the user cannot logon until they supply the
old password, then provide a new password. If they make too many attempts
with the old password, the account could be locked out. If your account
lockout duration is forever, then they cannot get in until you unlock the
account, but if the lockout duration is 30 minutes, they can try again after
30 minutes. I don't know what is happening in your case.

You can try this with any account by expiring the password immediately. In
ADUC on the Account tab check "User must change password at next logon".
This immediately expires the password. When the user next attempts to logon
(no matter when that is) they must supply the old password. Then they will
be required to supply a new password.