I have a possible solution for the OWA users. I havent used this particular software but we use one of their other products and it works well. I'll let the website speak for itself. But I believe this would provide a means via the web for your users to change their passwords.
http://www.anixis.com/products/ppeweb/default.htm Jeff Cothern -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: Monday, August 29, 2005 4:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Password policy change OWA doesn't have a built in password change function but you can activate the standard IIS password changing module called iisadmpwd which is placed in the options section of the OWA interface. However if the password has expired you be out of luck. Once article that covers this is: http://support.microsoft.com/default.aspx?scid=kb;en-us;297121 Regards Peter Johnson -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 27 August 2005 08:16 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Password policy change Yep, OWA is Outlook Web Access. If you haven't seen it, it is gorgeous in Exchange 2003. It looks almost exactly like Outlook. Unfortunately, if your password is expired (forced or otherwise) you aren't getting into OWA. I also don't believe it has a password change function if you just want to go and change it, but that could be something that could be enabled. Alternatively you set up another web page to do it. As for the OPs original issue. It all comes down to implementation. You told the system to not allow people to change the password if the password age was less than one day and then were confused when it did exactly that. The reason for it is that there is one attribute for password age, pwdLastSet, and it doesn't distinguish between a helpdesk set operation or a normal password change, they are both password changes and you only want one day between every change. The proper way to handle that case is to force the user's to change their password on next logon (which sets the pwdLastSet to 0), but as you know, that will kill OWA users. So you either need another process to follow for OWA only users, install some third party or custom inhouse tool, or drop the minimum password aging. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support Sent: Saturday, August 27, 2005 12:09 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Password policy change Your right Aaron, I didn't know what it meant.! I am not an outlook sort of person (we use Notes...), but the inferred statement surprises me. It suggests that if the "must change password" is set, you can't logon to Outlook Web Access. This would suggest that forcing users to change password after (say) 28 days is also a no-no. And, it would also suggest that Outlook Web Access won't let you change your password. If it did, it would surely allow you to logon, then require you to change the password before you do anything.. This all seems unlikely, given Microsoft's recommended use of forcing password changes on a regular basis and forcing users to change a password when a new user is created. If it is all true, maybe you have to provide some way that the users can go to a Citrix portal and change their password there, then go back and use Outlook Web Access. Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml ----- Original Message ----- From: "Aaron Visser" <[EMAIL PROTECTED]> To: <ActiveDir@mail.activedir.org> Sent: Saturday, August 27, 2005 8:59 AM Subject: Re: [ActiveDir] Password policy change Nevermind OWA = Outlook Web Access On 8/26/05 3:39 PM, "Figueroa, Johnny" <[EMAIL PROTECTED]> wrote: > > I mean, if I use the check box to "user must change password at next logon" > our users whose only way into the domain is OWA will not prompt them > to change > their password... Unless I am missing something. > > Thanks > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of SysPro > Support > Sent: Friday, August 26, 2005 3:19 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] Password policy change > > Johnny, > > We do exactly what you suggest, change the password and set the "user > must change password at next logon" and they are able to change it, > even within the > "password cannot be changed period". > > What do you mean by "that would effectively lock out the OWA only users"? > > > Alan Cuthbertson > > > Policy Management Software:- > http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml > ADM Template Editor:- > http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml > Policy Log Reporter(Free) > http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.sht > ml > > > > ----- Original Message ----- > From: "Figueroa, Johnny" <[EMAIL PROTECTED]> > To: <ActiveDir@mail.activedir.org> > Sent: Saturday, August 27, 2005 2:56 AM > Subject: RE: [ActiveDir] Password policy change > > > > Help desk sets he password to something "something", tells the user to > change their password to whatever they want it to be and the user can not. I > thought about having the HD check the box that makes it so the user > has to change the password the next time they log in but I think that > would effectively lock out the OWA only users. > > The point is that the HD gets the user going by setting the password > to something generic, then the user is supposed to change it to > whatever they want to keep. > > > Thanks > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] > Sent: Friday, August 26, 2005 9:45 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Password policy change > > Which part is "not working" and how is it "not working"? > > > Sincerely, > > Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I > Microsoft MVP - Directory Services > www.readymaids.com - we know IT > www.akomolafe.com > Do you now realize that Today is the Tomorrow you were worried about > Yesterday? -anon > > ________________________________ > > From: [EMAIL PROTECTED] on behalf of Figueroa, Johnny > Sent: Fri 8/26/2005 9:34 AM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Password policy change > > > > > Good morning folks, yesterday I changed the domain password security > to retain password history for 5 passwords and the password can not be changed > for one day. > > Our help desk used to set passwords to a default value when they got a call > from a user and then tell the user to change it to something they > want. It looks like that is not working for them > > Is there anyway around this ? > > Thanks > > Johnny Figueroa > Enterprise Network Consultant/Integrator Network Services Banner > Health Voice (602) > 495-4195 Fax (602) 495-4406 > > WARNING: This message, and any attachments, are intended only for the > use of > the individual or entity to which it is addressed and may contain > information that is privileged, confidential and exempt from > disclosure under applicable law. If the reader of this message is not > the intended recipient or employee/agent responsible for delivering > the message to the intended recipient, you are hereby notified that > any dissemination, distribution or copying of the communication is > strictly prohibited. If you > receive this communication in error, please notify us immediately > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
