Expired Passwords

Lee H

Hi

Its happened twice in the last week

A user has came back after lunch and cannot unlock there PC that they had been logged into before lunch

They knew that there password had to be changed and it was the last day, they didnt know that it would expire at 12.00 or thats what i assume

I changed a user's password on the server but he still could not unlock the PC and get back in, so he lost all the work he had open

is there anything i can do to stop this happening, on the server that is

lee H

blargoe

The time of day that it expires correlates to the time of day the last time they changed the password.

You can't really get granular with how the passwords expire other than how many days you want the password to be vaild. Otherwise, you either have a policy or you don't have a policy.

What is the error message that is returned when they try to log in before you changed their password and after they changed their password?

shednik

That happens all the time where I work you'll have to log them off and then they usually can change their password themselves..

bighornsheep

There's a setting in GPO that forces password change before the password expire.

http://technet2.microsoft.com/windowsserver/en/library/c2100bda-5b88-4d79-9611-8a8a65727fd31033.mspx?mfr=true

Lee H

Thanks for the help guys

It has only happened to 2 people in the last week and i dont have the error message

There password is expiring whilst they are logged in so soon as they lock the PC they are shut out completely

This has got to be a flaw, imagine the documents you would lose if you didnt save them


Also, bighornsheep's suggestion about the GPO setting, on the last day of the password being used will it automatically open the enter new password window


Thanks in advance


Lee H

blargoe

The flaw is these people are too sorry to change their password.

spike_tomahawk

After you unlock their account, they can go to another computer, log on, they will be prompted to change their password, after changing then they can go back and log on to the locked machine with the new password, they just changed it to. I see this about 3 to 4 times aweek. dont know if it has to be turned on in GP. I usually give the 2 courses of actions, speech, you can do above or you can just restart your machine, most opt for the restart because they are lazy. Hope this helps

Lee H

Good point Balrgoe but surley MS should see this as a flaw, how many times have you waited till the last day to change your password, even i do. Users dont expect it to run out half way through day and therfore lock them out


Lee H

bighornsheep

spike_tomahawk wrote:

After you unlock their account, they can go to another computer, log on, they will be prompted to change their password, after changing then they can go back and log on to the locked machine with the new password, they just changed it to.

I am pretty sure this only works if the GP setting "cached credentials" is disabled, and you force "authentication with DC", otherwise the workstation will parse your unlock process locally with the cached logon information.

sprkymrk

bighornsheep wrote:

spike_tomahawk wrote:

After you unlock their account, they can go to another computer, log on, they will be prompted to change their password, after changing then they can go back and log on to the locked machine with the new password, they just changed it to.

I am pretty sure this only works if the GP setting "cached credentials" is disabled, and you force "authentication with DC", otherwise the workstation will parse your unlock process locally with the cached logon information.

We do not have "Require domain controller authentication to unlock workstation" set, and we do enable cached logons. We have used Spike's method in the past before we required smart cards and it worked. I belive it is because the computer will only normally resort to cached credentials if the network cable is unplugged or it is unable to contact the DC.

bighornsheep

sprkymrk wrote:

We do not have "Require domain controller authentication to unlock workstation" set, and we do enable cached logons. We have used Spike's method in the past before we required smart cards and it worked. I belive it is because the computer will only normally resort to cached credentials if the network cable is unplugged or it is unable to contact the DC.

Was this in a Win2k3 + XP environment? Or Mix Win2k/Win2k3 + XP/Win2k...I've tried the "login to another workstation method" described above before with XP+Win2k3 and it didn't work, the sysadmin told me it's likely because of cached credentials.

sprkymrk

bighornsheep wrote:

sprkymrk wrote:

We do not have "Require domain controller authentication to unlock workstation" set, and we do enable cached logons. We have used Spike's method in the past before we required smart cards and it worked. I belive it is because the computer will only normally resort to cached credentials if the network cable is unplugged or it is unable to contact the DC.

Was this in a Win2k3 + XP environment? Or Mix Win2k/Win2k3 + XP/Win2k...I've tried the "login to another workstation method" described above before with XP+Win2k3 and it didn't work, the sysadmin told me it's likely because of cached credentials.

W2K3+XP

Lee H

We have a mixed environment also, i will try spikes methid as soon as it happens again

This should not be allowed to happen, our PC's are on a 10 minute lockout so pretty much on the last day of the password being changed it will happen at some point and if your office document hasnt autosaved then thats tough luck

How can you force a change of password instead of giving option to cancel, as soon as a user logs on in the morning of the last day it should prompt them to enter a new password

Lee H

blargoe

It isn't a flaw. If a password policy is set to 30 days, it expires in exactly 30 days, not 29 days and 18 hours or 30 days and 6 hours. I figure that's the only way they can implement it. If there was a set time of say 11:59:59PM when all password expirations are enforced on the day of expiration, then your third shift folks would be the ones out of luck!

Lee H

how can you say it is not a flaw

there should be something in place to protect these users from losing work

how about this - once password has expired and user locks PC, when they re-log into PC it then asks for a change of password as it has now expired, it should not lock them out completely and have them restart pc to get in


does anyone agrre with blargoe that this isnt a flaw

lee h

sprkymrk

Lee H wrote:

how can you say it is not a flaw

there should be something in place to protect these users from losing work

how about this - once password has expired and user locks PC, when they re-log into PC it then asks for a change of password as it has now expired, it should not lock them out completely and have them restart pc to get in


does anyone agrre with blargoe that this isnt a flaw

lee h

It would be nice if they made it so that you could unlock your computer and be immediately met with "You must change your password" before continuing.

Have you tried unplugging the network cable and unlocking it? It may revert to the cached credentials and let them in.

Lee H

it has only happened twice, and unplugging the net cable is still only a workaround

with all that windows has to offer i am disapointed that this issue exists

your typical end user will always put off changing a password till the last day

thanks for your help guys it seems i will just have to live with it

lee h