Announcement

Collapse
No announcement yet.

When password expires, logged on users loose connection to network resources

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • When password expires, logged on users loose connection to network resources

    I have a strange occurrence in my domain. When password expires, logged on users loose connection to network resources and services. Such as Outlook and intranet resources. But they are able to connect to shared folders.

    When they try to connect to Outlook and intranet resources they are told their password has expired, and it must be renewed. Obviously they are not able to update the AD password from an Outlook message box.

    We used to have 4 DCs, but last week we demoted the two Server 2003 DCs, and we are now left with only 2008R2 DCs, the DFL/FFL is 2008R2 as well. This problem started to occur after we demoted the 2003 DCs.

    If the user logs off and logs back in, they are able to change their password. That is a work around, but I want to find a permanent solution to the problem.

    Anyone ever experience this problem?
    Last edited by Balthier; 13th March 2014, 11:42.

  • #2
    Re: When password expires, logged on users loose connection to network resources

    In the Security policy of the DC I can see an account was logged off message, even if the user is still logged on.

    An account was logged off.

    Subject:
    Security ID: domain\user
    Account Name: user
    Account Domain: domain
    Logon ID: 0x1eb0bdb

    Logon Type: 3

    This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.

    Comment


    • #3
      Re: When password expires, logged on users loose connection to network resources

      This is what I call is normal, but not an issue.

      - When you user password expired or expiring.. the Outlook or Intranet won't able to let your user to log on because the password expired flag.
      - User still able to see the network resources (shared folders etc..) because the share folder is not using the AD user authentication. But it use the security group or the user object. Meaning that if as long as the network share are mapped of if they can access to the share path. They should able to access the resource as long as they are in the access security tab.

      User must change their password when password expired. This is not a work arround. But it is a standard procedure. You just need to training users that they should change their passwords when their password is expiring. Otherwise it will preventing them to sign to the intranet and outlook. This is the simplest method. You can modify your GPO to notify user when their password expiring when they are trying to logon to their computer.

      Here is another work around, but Im not sure how much you have involve with your Exchange/Intranet and it way more work by doing this... You can change the the authentication method to a single sign on. But it still not resolve the issue because it will prevent user to authenticate to the network once their password is expired.

      HN

      Comment


      • #4
        Re: When password expires, logged on users loose connection to network resources

        Ok, then the problem might be that the users are not prompted to change their password at logon. When are they supposed to receive that prompt, the same day their password expires, or at the next logon after their password has expired?

        I am not thinking of the balloon notification that Windows 7 users receive (by default 5 days before their password expires), but rather the prompt you get at logon when your password has expired, which says "your password has expired and must be changed"?

        Comment


        • #5
          Re: When password expires, logged on users loose connection to network resources

          Originally posted by Balthier View Post
          Ok, then the problem might be that the users are not prompted to change their password at logon. When are they supposed to receive that prompt, the same day their password expires, or at the next logon after their password has expired?

          I am not thinking of the balloon notification that Windows 7 users receive (by default 5 days before their password expires), but rather the prompt you get at logon when your password has expired, which says "your password has expired and must be changed"?
          You are correct. Win2k8 turn off password notification at logon. That is why your users don't know when their password is expired until they logon then they see a little ballon popup.

          You can enable this notification in your Default Domain GPO. Its under Computer configuration -> Policy->windows settings->security settings->local Policies->Security options
          Interactive Logon: Prompt user to change password before expiration.

          play with those options.
          Note. If you dont want to modify your default GPO. you can create a fresh GPO.

          Comment


          • #6
            Re: When password expires, logged on users loose connection to network resources

            Thanks, I know understand its by design.

            I know about the Interactive Logon: Prompt user to change password before expiration (which is 5 days by default in Windows 7), but I was just confused by how the feedback from the users was worded.

            Comment

            Working...
            X