Announcement

Collapse
No announcement yet.

password expired but user not prompted to change

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • password expired but user not prompted to change

    Hi everyone.
    Many of our AD domain users are not prompted for password change although their passwords are expired. for some reason the users just log in normally but naturally cant use any network services such as outlook/exchange accounts. logging out then back in does not force the password change prompt. the only way were able to make the computer to prompt for password is by checking "user must change password" in AD.
    The computers are connected to the network, so i guess their not using cached credentials to log in.
    Any Ideas on how solve this?

  • #2
    Re: password expired but user not prompted to change

    Knowing more details might help - without them, we can't begin to diagnose your problem.

    DC OS version?

    Domain and forest functional level?

    Client OS version?

    Presumably the users don't have "cannot change password" ticked?

    Anything in the event logs on the DCs or clients indicating any problems?

    Results of dcdiag on your DCs look ok?

    What have you tried to diagnose this so far?

    How many of your users is "many" and roughly what percentage of your userbase is this?
    Gareth Howells

    BSc (Hons), MBCS, MCP, MCDST, ICCE

    Any advice is given in good faith and without warranty.

    Please give reputation points if somebody has helped you.

    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

    Comment


    • #3
      Re: password expired but user not prompted to change

      Thanks for the quick reply
      2 Domain controllers. one is windows server 2003 standard. the other in server 2008 standard.
      Foresr functional level is Windows Server 2003 interim
      Domain functional level is Windows Server 2003
      Clients run winxp
      dcdiag look OK
      I did not see anything wrong on the event logs
      It is hard determine the percentage of because my only indication that somthing is wrong is when a user contacts our help-desk for not being able to use resources that require domain authentication. I know that users do get reminders that their password is about to expire 14 days in advance, but when their password actually expire they are not prompted to change it on login.

      Comment


      • #4
        Re: password expired but user not prompted to change

        Has this EVER worked ? IE - have users EVER been prompted 14 days prior that they need to change their password?


        Is there some sort of security in place that requires a user be logged on before a full network connection is initiated ? (say 802.1x ?)


        If it lets them log on normally, even though the password is expired, and THEN starts requesting passwords for things, this strongly suggests that cached passwords are being used at initial logon.
        Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

        Comment


        • #5
          Re: password expired but user not prompted to change

          Originally posted by odedz View Post
          Thanks for the quick reply
          2 Domain controllers. one is windows server 2003 standard. the other in server 2008 standard.
          Foresr functional level is Windows Server 2003 interim
          Domain functional level is Windows Server 2003
          Clients run winxp
          dcdiag look OK
          I did not see anything wrong on the event logs
          It is hard determine the percentage of because my only indication that somthing is wrong is when a user contacts our help-desk for not being able to use resources that require domain authentication. I know that users do get reminders that their password is about to expire 14 days in advance, but when their password actually expire they are not prompted to change it on login.
          In my experience, if the user does not change their password then the only way they can login is through an admin by having that admin reset their password. They were given a window of 14 days prior to changing thier password and if they miss it they get locked out, it's that simple. Not sure if there is a GPO setting allowing them to change it after they missed the expiration date by user their old password, then having the prompt to change it on the spot.

          Comment


          • #6
            Re: password expired but user not prompted to change

            Originally posted by tehcamel View Post
            Is there some sort of security in place that requires a user be logged on before a full network connection is initiated ? (say 802.1x ?)
            If it lets them log on normally, even though the password is expired, and THEN starts requesting passwords for things, this strongly suggests that cached passwords are being used at initial logon.
            Yeah this is something that could be quite possible if the users are on laptops using wireless. Wireless can take quite a while to connect sometimes and so on a fairly fast computer and without the "always wait for network at logon" GPO enabled then the user can actually boot up the machine and log in using cached credentials before the network is connected.
            Software for IT Pros that I've written: http://www.cjwdev.co.uk/Software.html

            My blog: http://cjwdev.wordpress.com

            Comment

            Working...
            X