password expiration

  • Thread starter Thread starter mm
  • Start date Start date
M

mm

We have several WinXP notebook users in our Win2000 AD domain. The
notebooks are joined to the domain.

Some of these notebooks are rarely connected to the actual network at our
offices.

The passwords are set to expire.

What will happen to the notebook user when their passwords expire?

I imagine the following will occur:

The passwords are cached on the notebooks locally, along with expiration
dates.
When the date is reached, the notebook will force the user to change the
password.
The staff member is then unable to change the password due to Windows
saying it is unable to contact a Domain Controller.

A colleague says the user will be able to log on to the notebook
indefinitely since Group Policy isn't cached.

I don't think there is a GPO at the moment, and the Account settings are
all set individually in each User object.

Could someone clarify? Thanks in advance.
 
I have never seen any documentation on that subject and the best way to find
out is to test it. Also a user account can be configured to be exempt from
domain password maximum age in the user's account properties in Active
Directory Users and Computers if that is acceptable.

Having said that, my experience is that cached credentials do not expire for
local computer logon. However as soon as the user with expired password
connects to the domain either via lan or VPN, their password will no longer
be good on the domain and they "should" be presented with a message/popup
box that their password has expired and they need to change it right now in
order to gain access to domain resources. You must train your users to
"refresh" their cached credential immediately if they are using them to gain
access to a VPN and change their expired password when prompted to. The
reason is that they may be able to logon to the VPN connection after they
change their expired password BUT their old "cached" password may still be
used and either they can be denied access to resources or their account may
become locked out as they try to access a resource. The way to refresh their
cached credentials is to change their expired password and then right away
lock their computer via control-alt-delete and then unlock it with the "new"
password. Like I said you need to test this out yourself but that has been
my experience. --- Steve
 
Back
Top