User password change causes all cached profile passwords to be bla

Discussion in 'Active Directory' started by ChetJ, Jul 27, 2006.

  1. ChetJ

    ChetJ Guest

    Windows 2003 Server - AD.

    Within the past week we have seen an issue where when the user passwords
    have either expired or been manually changed by the administrator in AD, the
    stored passwords for items like email (Outlook) have also been affected.
    This has occurred on users who have been prompted to change their password
    due to the password change policy and also when we use the reset password via
    AD.

    The user password for the user on the domain successfully changes and the
    user can log in to their machines and access resources. However, when they
    open MS Outlook and attempt to get their email they are rewarded with the
    password prompt in Outlook as it attempts to log in to their email accounts.
    We do not have an in house Exchange server, so the users are getting their
    email externally.

    What appears to be happening is the user password change is somehow forcing
    the reseting of the password for other profile items.

    Any thoughts?
     
    ChetJ, Jul 27, 2006
    #1
    1. Advertisements

  2. In
    In Windows 2003 AD, the password is tied to the user profile PStore. If it
    is changed (not reset), it should handle the change without any problems. If
    it is reset, I can understand what you're seeing, and a reason why once you
    start using EFS, never reset the password unless a recovery agent is
    configured.

    The part where you are saying it happens whether changing or resetting
    doesn't make sense other than if they are trying to logon within one hour of
    the change/reset, which was introduced in SP1.

    Windows Server 2003 Service Pack 1 modifies NTLM network authentication
    behavior
    http://support.microsoft.com/?id=906305

    (Ignore the Tivoli part, but read about the password change issue):
    http://publib.boulder.ibm.com/infoc...com.ibm.itame.doc/am60_webservers_admin88.htm

    I hope that helps.

    --
    Ace
    Innovative IT Concepts, Inc
    Willow Grove, PA

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft MVP - Directory Services
    Microsoft Certified Trainer

    Having difficulty reading or finding responses to your post?
    Instead of the website you're using, I suggest to use OEx (Outlook Express
    or any other newsreader), and configure a news account, pointing to
    news.microsoft.com. This is a direct link to the Microsoft Public
    Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
    to easily find, track threads, cross-post, sort by date, poster's name,
    watched threads or subject.
    It's easy:

    How to Configure OEx for Internet News
    http://support.microsoft.com/?id=171164

    Infinite Diversities in Infinite Combinations
    Assimilation Imminent. Resistance is Futile
    "Very funny Scotty. Now, beam down my clothes."

    The only constant in life is change...
    http://publib.boulder.ibm.com/infoc...com.ibm.itame.doc/am60_webservers_admin88.htm
     
    Ace Fekay [MVP], Jul 28, 2006
    #2
    1. Advertisements

  3. ChetJ

    Adam Guest

    The basic theory is that other applications get to store passwords
    safely effectively encrypted under the logon password. When the
    password is changed without the user supplying their existing password
    (eg when an admin rests it) the usual process of decrypting the stored
    passwords and re-encrypting them under the new password can't happen,
    and they're lost.

    I'm not sure why the contents of protected storage would be lost when a
    user changes their own password when forced to.
     
    Adam, Jul 28, 2006
    #3
  4. ChetJ

    ChetJ Guest

    In Windows 2003 AD, the password is tied to the user profile PStore. If it
    I understand the content of the MS KB 906305, but based on the information
    contained within it then any time since SP1 was installed this would have
    been an issue. That is clearly not the case. This issue has come about in
    the past 3 maybe 4 weeks max.

    At first I thought it was an isolated case for one group of users on one
    network, but I have personally witnessed it on two separate networks with
    different domains and different servers. The catalyst appears to be when as
    the Administrator I force the user to change there password at the next log
    on session.

    So far, what makes it stranger is this is not global. It does not happen to
    100% of the users who have had their passwords set to force a change.

    Chet
     
    ChetJ, Jul 28, 2006
    #4
  5. In
    You know, that article does mention post SP1. For what it's worth, from
    using 2003 since it's beta days and pre-SP1, it does the same thing. I was
    aware that Microsoft put this functionality PStore tie-in to the password as
    one of the changes 2003 introduced. I've also noticed it with one of our
    customers that we setup certificate auto-enrollement for wireless users.
    When one of the admins reset a password for one of the wireless laptop
    users, they no longer can authenticate. I had to manually get them a new
    cert and revoke the old one after they've logged on with the new password.

    Ace
     
    Ace Fekay [MVP], Jul 31, 2006
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.