I have a possible solution for the OWA users. I havent used this particular
software but we use one of their other products and it works well. I'll let
the website speak for itself. But I believe this would provide a means via the
web for your users to change their passwords.
http://www.anixis.com/products/ppeweb/default.htm
Jeff Cothern
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson
Sent: Monday, August 29, 2005 4:36 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Password policy change
OWA doesn't have a built in password change function but you can activate the
standard IIS password changing module called iisadmpwd which is placed in the
options section of the OWA interface. However if the password has expired you
be out of luck.
Once article that covers this is:
http://support.microsoft.com/default.aspx?scid=kb;en-us;297121
Regards
Peter Johnson
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 27 August 2005 08:16
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Password policy change
Yep, OWA is Outlook Web Access. If you haven't seen it, it is gorgeous in
Exchange 2003. It looks almost exactly like Outlook. Unfortunately, if your
password is expired (forced or otherwise) you aren't getting into OWA. I also
don't believe it has a password change function if you just want to go and
change it, but that could be something that could be enabled.
Alternatively you set up another web page to do it.
As for the OPs original issue. It all comes down to implementation. You told
the system to not allow people to change the password if the password age was
less than one day and then were confused when it did exactly that. The reason
for it is that there is one attribute for password age, pwdLastSet, and it
doesn't distinguish between a helpdesk set operation or a normal password
change, they are both password changes and you only want one day between every
change. The proper way to handle that case is to force the user's to change
their password on next logon (which sets the pwdLastSet to 0), but as you know,
that will kill OWA users. So you either need another process to follow for OWA
only users, install some third party or custom inhouse tool, or drop the
minimum password aging.
joe
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support
Sent: Saturday, August 27, 2005 12:09 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Password policy change
Your right Aaron, I didn't know what it meant.!
I am not an outlook sort of person (we use Notes...), but the inferred statement
surprises me. It suggests that if the "must change password" is set, you can't
logon to Outlook Web Access.
This would suggest that forcing users to change password after (say) 28 days is
also a no-no.
And, it would also suggest that Outlook Web Access won't let you change your
password. If it did, it would surely allow you to logon, then require you to
change the password before you do anything..
This all seems unlikely, given Microsoft's recommended use of forcing password
changes on a regular basis and forcing users to change a password when a new
user is created.
If it is all true, maybe you have to provide some way that the users can go to
a Citrix portal and change their password there, then go back and use Outlook
Web Access.
Alan Cuthbertson
Policy Management Software:-
http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml
ADM Template Editor:-
http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml
Policy Log Reporter(Free)
http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml
----- Original Message -----
From: "Aaron Visser" <[EMAIL PROTECTED]>
To: <ActiveDir@mail.activedir.org>
Sent: Saturday, August 27, 2005 8:59 AM
Subject: Re: [ActiveDir] Password policy change
Nevermind OWA = Outlook Web Access
On 8/26/05 3:39 PM, "Figueroa, Johnny" <[EMAIL PROTECTED]>
wrote:
I mean, if I use the check box to "user must change password at next
logon"
our users whose only way into the domain is OWA will not prompt them
to
change
their password... Unless I am missing something.
Thanks
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of SysPro
Support
Sent: Friday, August 26, 2005 3:19 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Password policy change
Johnny,
We do exactly what you suggest, change the password and set the "user
must change password at next logon" and they are able to change it,
even within
the
"password cannot be changed period".
What do you mean by "that would effectively lock out the OWA only users"?
Alan Cuthbertson
Policy Management Software:-
http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml
ADM Template Editor:-
http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml
Policy Log Reporter(Free)
http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.sht
ml
----- Original Message -----
From: "Figueroa, Johnny" <[EMAIL PROTECTED]>
To: <ActiveDir@mail.activedir.org>
Sent: Saturday, August 27, 2005 2:56 AM
Subject: RE: [ActiveDir] Password policy change
Help desk sets he password to something "something", tells the user to
change their password to whatever they want it to be and the user can not.
I
thought about having the HD check the box that makes it so the user
has to change the password the next time they log in but I think that
would effectively lock out the OWA only users.
The point is that the HD gets the user going by setting the password
to something generic, then the user is supposed to change it to
whatever they want to keep.
Thanks
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, August 26, 2005 9:45 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Password policy change
Which part is "not working" and how is it "not working"?
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: [EMAIL PROTECTED] on behalf of Figueroa, Johnny
Sent: Fri 8/26/2005 9:34 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Password policy change
Good morning folks, yesterday I changed the domain password security
to retain password history for 5 passwords and the password can not be
changed
for one day.
Our help desk used to set passwords to a default value when they got a
call
from a user and then tell the user to change it to something they
want. It looks like that is not working for them
Is there anyway around this ?
Thanks
Johnny Figueroa
Enterprise Network Consultant/Integrator Network Services Banner
Health Voice (602)
495-4195 Fax (602) 495-4406
WARNING: This message, and any attachments, are intended only for the
use
of
the individual or entity to which it is addressed and may contain
information that is privileged, confidential and exempt from
disclosure under applicable law. If the reader of this message is not
the intended recipient or employee/agent responsible for delivering
the message to the intended recipient, you are hereby notified that
any dissemination, distribution or copying of the communication is
strictly prohibited. If
you
receive this communication in error, please notify us immediately
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/