That should work.  :-)

There are actually many web-, phone- and login-prompt- accessible
password change/synchronization/reset applications out there, some of
which support password updates to multiple types of systems, rather than just AD.

<PROMOTIONAL ALERT - CLOSE YOUR EYES TO AVOID ADVERTISING>
  One such is http://psynch.com/
</PROMOTIONAL ALERT - COULDN'T HELP MYSELF>

Linking one of these to OWA should be trivial. With this product, and probably others, you should have no trouble detecting password expiry and bouncing the user to the 'change now' page either.

Good luck,

-- Idan

On Mon, 29 Aug 2005, Cothern Jeff D. Team EITC wrote:

I have a possible solution for the OWA users.  I havent used this particular 
software but we use one of their other products and it works well.  I'll let 
the website speak for itself.  But I believe this would provide a means via the 
web for your users to change their passwords.

http://www.anixis.com/products/ppeweb/default.htm

Jeff Cothern


-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson
Sent: Monday, August 29, 2005 4:36 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Password policy change

OWA doesn't have a built in password change function but you can activate the 
standard IIS password changing module called iisadmpwd  which is placed in the 
options section of the OWA interface. However if the password has expired you 
be out of luck.

Once article that covers this is:

http://support.microsoft.com/default.aspx?scid=kb;en-us;297121

Regards
Peter Johnson




-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 27 August 2005 08:16
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Password policy change

Yep, OWA is Outlook Web Access. If you haven't seen it, it is gorgeous in 
Exchange 2003. It looks almost exactly like Outlook. Unfortunately, if your 
password is expired (forced or otherwise) you aren't getting into OWA. I also 
don't believe it has a password change function if you just want to go and 
change it, but that could be something that could be enabled.
Alternatively you set up another web page to do it.

As for the OPs original issue. It all comes down to implementation. You told 
the system to not allow people to change the password if the password age was 
less than one day and then were confused when it did exactly that. The reason 
for it is that there is one attribute for password age, pwdLastSet, and it 
doesn't distinguish between a helpdesk set operation or a normal password 
change, they are both password changes and you only want one day between every 
change. The proper way to handle that case is to force the user's to change 
their password on next logon (which sets the pwdLastSet to 0), but as you know, 
that will kill OWA users. So you either need another process to follow for OWA 
only users, install some third party or custom inhouse tool, or drop the 
minimum password aging.

  joe


-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support
Sent: Saturday, August 27, 2005 12:09 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Password policy change

Your right Aaron, I didn't know what it meant.!

I am not an outlook sort of person (we use Notes...), but the inferred statement 
surprises me. It suggests that if the "must change password" is set, you can't 
logon to Outlook Web Access.

This would suggest that forcing users to change password after (say) 28 days is 
also a no-no.

And, it would also suggest that Outlook Web Access won't let you change your 
password. If it did, it would surely allow you to logon, then require you to 
change  the password before you do anything..

This all seems unlikely, given Microsoft's recommended use of forcing password 
changes on a regular basis and forcing users to change a password when a new 
user is created.

If it is all true, maybe you have to provide some way that the users can go to 
a Citrix portal and change their password there, then go back and use Outlook 
Web Access.

Alan Cuthbertson


 Policy Management Software:-
http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml
ADM Template Editor:-
http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml
Policy Log Reporter(Free)
http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml




----- Original Message -----
From: "Aaron Visser" <[EMAIL PROTECTED]>
To: <ActiveDir@mail.activedir.org>
Sent: Saturday, August 27, 2005 8:59 AM
Subject: Re: [ActiveDir] Password policy change


Nevermind OWA = Outlook Web Access


On 8/26/05 3:39 PM, "Figueroa, Johnny" <[EMAIL PROTECTED]>
wrote:


I mean, if I use the check box to "user must change password at next
logon"
our users whose only way into the domain is OWA will not prompt them
to
change
their password... Unless I am missing something.

Thanks

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of SysPro
Support
Sent: Friday, August 26, 2005 3:19 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Password policy change

Johnny,

We do exactly what you suggest, change the password and set the "user
must change password at next logon" and they are able to change it,
even within
the
"password cannot be changed period".

What do you mean by "that would effectively lock out the OWA only users"?


 Alan Cuthbertson


 Policy Management Software:-
http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml
ADM Template Editor:-
http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml
Policy Log Reporter(Free)
http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.sht
ml



----- Original Message -----
From: "Figueroa, Johnny" <[EMAIL PROTECTED]>
To: <ActiveDir@mail.activedir.org>
Sent: Saturday, August 27, 2005 2:56 AM
Subject: RE: [ActiveDir] Password policy change



Help desk sets he password to something "something", tells the user to
change their password to whatever they want it to be and the user can not.
I
thought about having the HD check the box that makes it so the user
has to change the password the next time they log in but I think that
would effectively lock out the OWA only users.

The point is that the HD gets the user going by setting the password
to something generic, then the user is supposed to change it to
whatever they want to keep.


Thanks

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, August 26, 2005 9:45 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Password policy change

Which part is "not working" and how is it "not working"?


Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon

________________________________

From: [EMAIL PROTECTED] on behalf of Figueroa, Johnny
Sent: Fri 8/26/2005 9:34 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Password policy change




Good morning folks, yesterday I changed the domain password security
to retain password history for 5 passwords and the password can not be
changed
for one day.

Our help desk used to set passwords to a default value when they got a
call
from a user and then tell the user to change it to something they
want. It looks like that is not working for them

Is there anyway around this ?

Thanks

Johnny Figueroa
Enterprise Network Consultant/Integrator Network Services Banner
Health Voice (602)
495-4195 Fax (602) 495-4406

WARNING: This message, and any attachments, are intended only for the
use
of
the individual or entity to which it is addressed and may contain
information that is privileged, confidential and exempt from
disclosure under applicable law.  If the reader of this message is not
the intended recipient or employee/agent responsible for delivering
the message to the intended recipient, you are hereby notified that
any dissemination, distribution or copying of the communication is
strictly prohibited.  If
you
receive this communication in error, please notify us immediately

List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Reply via email to