Announcement

Collapse
No announcement yet.

Server 2008 not forcing users to change expired passwords

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Server 2008 not forcing users to change expired passwords

    Hi all,

    We are running a mixed environment of Win2k3 and Win2k8 servers in a Win2k forest.

    I have set a password policy through a GPO that forces passwords to expire after a number of days, and to prompt the user to change it. This works perfectly fine on our 2003 servers, but not on our Win2k8 servers.

    On the 2k3 servers, the next login after the password expires prompts them to change their password. However on our 2k8 servers this does not happen, it still allows the users to login. Once in, there is a message that appears near the system tray that tells the user their password is about to, or has expired and they need to change their password.

    As I'm sure you all have experienced, no one pays attention to this alert and they do not change their passwords. Then they start to have issues authenticating with our proxy server, which prompts them to enter their AD credentials. To fix this, we have to either reset their password in AD, or have them try and login to one of our 2k3 servers, which prompts them to change their password. Logging out of the 2k8 server and back in does not seem to work.

    Is it possible for Win2k8 to force a user to change their expired password on login, like it does for our Win2k3 servers?

  • #2
    Re: Server 2008 not forcing users to change expired passwords

    It sounds like you have set the passwords using the Local Computer Policy, or set the GP so that it is only applied to the group containing the 2003 Servers.

    There is no change that is required on the policy to get it to work in 2008 (or at lest there was not when I have added a 2008 Server).

    I would say the first and best place to start would be to run a RSoP on both the servers (as same user) and make sure that all the Policys are being applied correctly.

    Also, Just one last thing, 2008 will not tell you to change the password when you are already logged on, it waits till your logged, then asks you to log and change your password.

    Wofen
    Good to be back....

    Comment


    • #3
      Re: Server 2008 not forcing users to change expired passwords

      Thanks Wofen,

      The policy is applied to all OUs, as I needed it to apply to every user so it was applied to the entire domain.

      I have also checked the local GP on the server and it has the same settings as the policy applied.

      I have done as you suggested and it looks like the 2k3 and 2k8 servers are getting the same policies. I have attached screenshots from both RSOP on Win2k3 and GPResult on 2k8.

      Any other ideas? Is there any other information I can provide that may help?
      Attached Files

      Comment


      • #4
        Re: Server 2008 not forcing users to change expired passwords

        Are you logging on remotly to this server (Via RDP)?

        If so, is NLA (Network Level Authentication) on? If so, read ...http://www.webhostingtalk.com/showthread.php?t=711525

        Are user able to change there password via Ctrl + Alt +Del?

        Also, one quick Question.... Why are USERS changing passwords on a Server, and if its a Terminal Server and you have not mentioned that to us, read my Sig.

        Wofen
        Good to be back....

        Comment


        • #5
          Re: Server 2008 not forcing users to change expired passwords

          Sorry I did neglect to mention it is a terminal server.

          NLA is enabled, as our proxy requires it for authentication reasons. I read that article you provided a link to and understand what it is saying, that the only way for it to work is for users to change their password whilst logged in before it expires, or to use a version of an RDP client that doesn't support NLA.

          Is there any way to prompt a user to change their password whilst logged in to a Win2k8 terminal server session? Or at least make the message pop up more obvious?

          Again the reason being is I'm going to continue getting these support issues, until we force them to change it as people unfortunatley do not follow instruction well.

          In most cases, we cannot change the RDP client as most clients are WYSE Terminals.

          Comment


          • #6
            Re: Server 2008 not forcing users to change expired passwords

            I understand and feel your Pain (I have exactuly the same thing, on less of a scale).

            You could try turning on Classic Sign in, but I do not believe that changes the behaviour.

            Here are some other things for you to try (I am now just google fishing).
            1) Change Secruity Layer on the TS Server (TSconfig.msc)
            2) You could try This http://www.robertlinquist.com/2009/0...no-change.html

            Other then that, I am thinking your at the point where you have to Do user Training, or Upgrade your Thin clients to support a new version of RDP, as the ones you are currently using do not support Server2008 (As all networking hardware that does, supports NLA).

            So, if none of the above works, then I would look at...
            A) Setting up a Website users can go to (First Link)
            B) Upgrade Hardware so that your in an Supported Enviroment.
            C) Setup an Email remind with a link the user can click (linking to the page in the first option), that emails them daily for the week before there passwords expire. Then to help User training, Create a helpdesk for Password changes that "you get to when you get time". After someone has to explane to there boss why they are unable to do something becuse they could not be stuffed changing there password, and it wont happen again.

            Personally, this is a "feature" Ms gave us with 2008, basiclly to make it more secure, they stopped it interfacing with any other MS product.... safest way to secure something :P

            Wofen
            Good to be back....

            Comment


            • #7
              Re: Server 2008 not forcing users to change expired passwords

              Can you confirm your password policy is applied to the domain, not to an OU?
              Tom Jones
              MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
              PhD, MSc, FIAP, MIITT
              IT Trainer / Consultant
              Ossian Ltd
              Scotland

              ** Remember to give credit where credit is due and leave reputation points where appropriate **

              Comment


              • #8
                Re: Server 2008 not forcing users to change expired passwords

                Sorry Wolfen,

                I just thought I'd have another look and check whether NLA is enabled or not, and realised I was getting it confused with NTLM. I had a look at the Remote Desktop Settings of the Win2k8 server and it's set to allow any version of RDP to connect.

                So, it looks like NLA is disabled.

                I can confirm that the proxy is assigned to the entire domain, above all OUs, however the proxy requires NTLM, not NLA.

                Sorry again for the confusion, does this shed any more light and come up with any more possibilities?

                Comment


                • #9
                  Re: Server 2008 not forcing users to change expired passwords

                  I am going to play around on my server and see if I can re-create whats happening to you (I actuly think this is the intendard 2008 behaviour) to confirm.

                  Will get back to you once I work out a way to age a single accounts password without kicking off 200 live users :P

                  Forgot its a 2008 TS, our TS is sadly still 2003 here.

                  I can confirm that on a 2008 Application Server (OR DC/Exchange/SQL) it will tell you that your password has expired and must be changed before log on.
                  Also, I have found some post about this same issue with a work around. I have NOT tested this, and therefore can give no knowledge other then whats written on the page.

                  Wofen
                  Last edited by Wofen; 11th October 2011, 04:14.
                  Good to be back....

                  Comment


                  • #10
                    Re: Server 2008 not forcing users to change expired passwords

                    Thanks Wolfen, you've been a great help so far!

                    To test it, I believe selecting 'change password on next login' for one user should produce the same results as an expired password.

                    Either that, or change the password to a new one and at the same time select 'user must change the password on next logon'

                    Comment


                    • #11
                      Re: Server 2008 not forcing users to change expired passwords

                      Thats alright, we are all here to help.

                      I believe you will have to make a work around, as this is a common complant about 2008, and MS really did nothing to resolve it (They were ment to release a TS management server that Users logged onto First and was directed to different TS's IIRC).

                      There are some work arounds but none of them too nice (As you can see from my examples).

                      I hope someone else is able to point you in the direction of an answer, as I would like to know if this is possible.

                      Wofen
                      Good to be back....

                      Comment


                      • #12
                        Re: Server 2008 not forcing users to change expired passwords

                        Would you believe I just found a solution!? Please see below:

                        "Please change your security layer to RDP and see if it resolves the issue. To do this, click start--run--tsconfig.msc, double-click RDP-Tcp, change security layer to RDP Security Layer, click ok, then test"

                        I found the solution here:
                        http://msmvps.com/blogs/richardwu/ar...-services.aspx

                        The only drawback is the user now has to click on their username and enter their password (if the RDP shortcut is configured with their username)

                        Comment

                        Working...
                        X