Remote user password expiration and notifcation

Discussion in 'Active Directory' started by PJBBCF, Nov 25, 2005.

  1. PJBBCF

    PJBBCF Guest

    Folks,

    WinXP Pro clients, Win2000 AD servers

    Someone must have come across this before. Laptop users (who make up 80% of
    our staff) work away from the office most of the time, and their AD passwords
    are set to expire. The use Cisco VPN for remote access, and also sometimes
    visit the office, but most of the time they are using cached credentials.
    They never get any notification of the password expiry, until they find that
    they are locked out and have to call the helpdesk. Only office-based users,
    who always log-on to the XP clients and AD simultaneously every time, get the
    warning.

    Is this a design flaw, or is there something wrong with our system
    configuration?

    Thanks

    Peter Brown
    British Cycling
     
    PJBBCF, Nov 25, 2005
    #1
    1. Advertisements

  2. Is this a design flaw, or is there something wrong with our system
    Well, it's not a design flaw. If you don't connect to the domain then your
    not going to know when your passwords are going to expire. You might also
    find that the dialog to remind you is off:
    -- http://www.msresource.net/content/view/55/48/


    What you can do, is have a web page where users can change their own
    password. You can use the IISADMINPWD that OWA uses (you'll have to
    customise obviously).
     
    Paul Williams [MVP], Nov 25, 2005
    #2
    1. Advertisements

  3. PJBBCF

    PJBBCF Guest

    Paul, Thanks for the reply but this isn't quite right.

    The registry value mentioned in the linked article is set correctly - 14
    days. As I indicated, this works as expected for users in the office.

    "If you don't connect to the domain then your not going to know when your
    passwords are going to expire."
    The users *are* connecting to the domain on a daily basis. They can access
    all their resources - shares, Exchange, SQL - with no problems until the
    password has expired, then they are denied access. Up until this point they
    receive no nofication - it seems you have to be on the local LAN to get this,
    so that the local XP login is simulataneously checking the AD. If you log in
    to XP first, then access the AD/server resources, the notification is missing.

    So I ask again - is this "working as designed". Is this what other people
    are experiencing? If so it seems to be an oversight. Or do we have a
    configuration problem?
     
    PJBBCF, Nov 25, 2005
    #3
  4. PJBBCF

    PJBBCF Guest

    I should also mention:

    OWA / IIS - we are not currently using those systems so it isn't relevant at
    the moment.

    But.....

    We wish to use OWA and/or RPC/HTTPS in the future - wouldn't this add to the
    problem as it is another example of remote access of the AD?
     
    PJBBCF, Nov 25, 2005
    #4
  5. PJBBCF

    Paul Bergson Guest

    You might think you are authenticating to AD when you attached remotely but
    in fact you are logging in remotely against cached credentials on your local
    machine.

    http://support.microsoft.com/default.aspx?scid=kb;en-us;823731

    When your users join the domain gpo's, login scripts, etc..., SOD procedures
    aren't performed so they will never get an expiration notice.

    We used to have written a script that searched for all accounts with a date
    of expiration of 5 days or less and it would send an e-mail out to them
    warning them. I would post it but can't find it. It wouldn't be that
    difficult to write.

    --


    Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Paul Bergson, Nov 25, 2005
    #5
  6. Yes, we did something similar for a customer. We also utilised the
    IISADMINPWD for instances whereby the password did expired.

    You don't need Exchange for this. I simply used the example of OWA as an
    example of explaining what IISADMINPWD is.
     
    Paul Williams [MVP], Nov 25, 2005
    #6
  7. PJBBCF

    Meatball10

    Joined:
    Sep 23, 2012
    Messages:
    2
    Likes Received:
    0
    Location:
    New York
    No, it’s not a flaw. Your remote users don’t log in interactively, and don’t see to the default Windows expiration notification. Download a third-party tool, like NetWrix Password Expiration Notifier or The Dot Net AD Self Service Suite. We have used netwrix for a while, and it sends automated reports to end users any time their password is set to expire within 14 days.
     
    Meatball10, Sep 23, 2012
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.