They are not setting the Must Change Password at Next Login
box. Thanks
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf
Sent: Wednesday, November 02, 2005 8:51 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OWA after resetting password
I am wondering that since this is a helpdesk password reset, are the
helpdesk personel checking the Must Change Password at Next Login box. If that
is checked then the user won't be able to log into OWA until they change their
password themselves.
Phil
On 11/2/05, Peter
Johnson <[EMAIL PROTECTED]>
wrote:
I'm assuming this difference in behavior is due to the fact that an OWA
login is not an interactive login through LSASS. A possible solution is
to get your hands on the ALTOOLS download from Microsoft. One of the
tools in this set is the additional info dll. It allows you to reset the
password on a DC in the site in which the user last logged in.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] ] On Behalf Of Figueroa,
Johnny
Sent: 02 November 2005 15:36
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OWA after resetting password
Thanks, the AvoidPdcOnWan is not on in our environment and there is no
firewall between the sites. I am waiting to hear from someone that knows
OWA internals, to see if what we see is the case and if there is
anything that can be done about it.
Thanks
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto: [EMAIL PROTECTED]] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, November 02, 2005 4:08 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OWA after resetting password
I'm not an expert on OWA, but as you mentioned in the first part of your
message the DC performs the check against the PDC to see if the password
has been changed. So long as OWA is using a DC to authenticate a user,
which I'm assuming it does, then the DC will handle the PDC check
invisibly.
The replication interval wont have any effect on the PDC getting
notified of the change as a separate mechanism is used to inform the PDC
of the change.
If your OWA is sitting on a secure network along with a selection of
DC's, is it possible that the DC's there can't contact the PDC due to
firewall rules?
Also, check if you're using AvoidPdcOnWan -
http://support.microsoft.com/?kbid=225511
Regards,
Mark.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Figueroa,
Johnny
Sent: 02 November 2005 09:52
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OWA after resetting password
This is all in an Exchange 2003 and AD 2003 environment.
I wonder if I have this right?. When the help desk resets a password in
ADUC, that password change is made against the DC that the tool is
connected to and the PDC Emulator. If a user logs on to the network the
authenticating DC checks the password against its database, if the
passwords do not match then it goes to the PDC Emulator to resolve the
conflict and the user gets on with the new password.
If a user is only an OWA user and he tries to logon to OWA after a help
desk password reset, it appears that if replication against the DCs in
the Exchange AD site has not happened then the new password is not
recognized. In other words there is a delay between resetting the
password and the user being able to sign on with it. I take it that OWA
does not check against the PDC Emulator but just the DCs in its site.
Is there anything that can be done about this, other than reducing the
interval for replication on the site connector?
Thanks
Johnny Figueroa
Enterprise Network Consultant/Integrator Network Services Banner Health
Voice (602)
495-4195 Fax (602) 495-4406
WARNING: This message, and any attachments, are intended only for the
use of the individual or entity to which it is addressed and may contain
information that is privileged, confidential and exempt from disclosure
under applicable law. If the reader of this message is not the intended
recipient or employee/agent responsible for delivering the message to
the intended recipient, you are hereby notified that any dissemination,
distribution or copying of the communication is strictly prohibited. If
you receive this communication in error, please notify us immediately
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
------------------------------------------------------------------------
For more information about Barclays Capital, please visit our web site
at http://www.barcap.com.
Internet communications are not secure and therefore the Barclays Group
does not accept legal responsibility for the contents of this message.
Although the Barclays Group operates anti-virus programmes, it does not
accept responsibility for any damage whatsoever that is caused by
viruses being passed. Any views or opinions presented are solely those
of the author and do not necessarily represent those of the Barclays
Group. Replies to this email may be monitored by the Barclays Group for
operational or business reasons.
------------------------------------------------------------------------
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
