RE: [ActiveDir] Password Policy change
Password policy changes for domain user accounts can only take affect if they are linked to a GPO at the domain level. I have a short video training session that explains this at www.gpoguy.com/training.htm if you're interested in understanding more. So, bottom line is that if you're making password complexity changes to domain user accounts, it must be done on a GPO linked at the domain level. Since the Default DC Policy is linked at the OU level, it won't effect anything. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO tips, tools and whitepapers. Also check out the Windows Group Policy Guide, a soup-to-nuts resource for Group Policy information. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Flesher Sent: Friday, June 09, 2006 1:59 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Password Policy change Hello, When the default domain controller policy is changed in respect to password complexity, length, etc., how long is it before the change takes affect? We have an automated system that is trying to change passwords but is getting bounced back that the password doesn't meet complexity. I changed the policy about 45 minutes ago and it has propogated to all DC's. Any info would be appreciated. Christopher Flesher The University of Chicago NSIT/DCS (773)-834-8477 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Password policy change
OWA doesn't have a built in password change function but you can activate the standard IIS password changing module called iisadmpwd which is placed in the options section of the OWA interface. However if the password has expired you be out of luck. Once article that covers this is: http://support.microsoft.com/default.aspx?scid=kb;en-us;297121 Regards Peter Johnson -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 27 August 2005 08:16 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Password policy change Yep, OWA is Outlook Web Access. If you haven't seen it, it is gorgeous in Exchange 2003. It looks almost exactly like Outlook. Unfortunately, if your password is expired (forced or otherwise) you aren't getting into OWA. I also don't believe it has a password change function if you just want to go and change it, but that could be something that could be enabled. Alternatively you set up another web page to do it. As for the OPs original issue. It all comes down to implementation. You told the system to not allow people to change the password if the password age was less than one day and then were confused when it did exactly that. The reason for it is that there is one attribute for password age, pwdLastSet, and it doesn't distinguish between a helpdesk set operation or a normal password change, they are both password changes and you only want one day between every change. The proper way to handle that case is to force the user's to change their password on next logon (which sets the pwdLastSet to 0), but as you know, that will kill OWA users. So you either need another process to follow for OWA only users, install some third party or custom inhouse tool, or drop the minimum password aging. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support Sent: Saturday, August 27, 2005 12:09 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Password policy change Your right Aaron, I didn't know what it meant.! I am not an outlook sort of person (we use Notes...), but the inferred statement surprises me. It suggests that if the must change password is set, you can't logon to Outlook Web Access. This would suggest that forcing users to change password after (say) 28 days is also a no-no. And, it would also suggest that Outlook Web Access won't let you change your password. If it did, it would surely allow you to logon, then require you to change the password before you do anything.. This all seems unlikely, given Microsoft's recommended use of forcing password changes on a regular basis and forcing users to change a password when a new user is created. If it is all true, maybe you have to provide some way that the users can go to a Citrix portal and change their password there, then go back and use Outlook Web Access. Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedirf=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.shtml - Original Message - From: Aaron Visser [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, August 27, 2005 8:59 AM Subject: Re: [ActiveDir] Password policy change Nevermind OWA = Outlook Web Access On 8/26/05 3:39 PM, Figueroa, Johnny [EMAIL PROTECTED] wrote: I mean, if I use the check box to user must change password at next logon our users whose only way into the domain is OWA will not prompt them to change their password... Unless I am missing something. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support Sent: Friday, August 26, 2005 3:19 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Password policy change Johnny, We do exactly what you suggest, change the password and set the user must change password at next logon and they are able to change it, even within the password cannot be changed period. What do you mean by that would effectively lock out the OWA only users? Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedirf=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.shtml - Original Message - From: Figueroa, Johnny [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, August 27, 2005 2:56 AM Subject: RE: [ActiveDir] Password policy change Help desk sets he password to something something, tells the user to change their password to whatever they want it to be and the user can not. I thought about having the HD check the box that makes it so the user has to change
RE: [ActiveDir] Password policy change
I have a possible solution for the OWA users. I havent used this particular software but we use one of their other products and it works well. I'll let the website speak for itself. But I believe this would provide a means via the web for your users to change their passwords. http://www.anixis.com/products/ppeweb/default.htm Jeff Cothern -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: Monday, August 29, 2005 4:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Password policy change OWA doesn't have a built in password change function but you can activate the standard IIS password changing module called iisadmpwd which is placed in the options section of the OWA interface. However if the password has expired you be out of luck. Once article that covers this is: http://support.microsoft.com/default.aspx?scid=kb;en-us;297121 Regards Peter Johnson -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 27 August 2005 08:16 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Password policy change Yep, OWA is Outlook Web Access. If you haven't seen it, it is gorgeous in Exchange 2003. It looks almost exactly like Outlook. Unfortunately, if your password is expired (forced or otherwise) you aren't getting into OWA. I also don't believe it has a password change function if you just want to go and change it, but that could be something that could be enabled. Alternatively you set up another web page to do it. As for the OPs original issue. It all comes down to implementation. You told the system to not allow people to change the password if the password age was less than one day and then were confused when it did exactly that. The reason for it is that there is one attribute for password age, pwdLastSet, and it doesn't distinguish between a helpdesk set operation or a normal password change, they are both password changes and you only want one day between every change. The proper way to handle that case is to force the user's to change their password on next logon (which sets the pwdLastSet to 0), but as you know, that will kill OWA users. So you either need another process to follow for OWA only users, install some third party or custom inhouse tool, or drop the minimum password aging. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support Sent: Saturday, August 27, 2005 12:09 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Password policy change Your right Aaron, I didn't know what it meant.! I am not an outlook sort of person (we use Notes...), but the inferred statement surprises me. It suggests that if the must change password is set, you can't logon to Outlook Web Access. This would suggest that forcing users to change password after (say) 28 days is also a no-no. And, it would also suggest that Outlook Web Access won't let you change your password. If it did, it would surely allow you to logon, then require you to change the password before you do anything.. This all seems unlikely, given Microsoft's recommended use of forcing password changes on a regular basis and forcing users to change a password when a new user is created. If it is all true, maybe you have to provide some way that the users can go to a Citrix portal and change their password there, then go back and use Outlook Web Access. Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedirf=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.shtml - Original Message - From: Aaron Visser [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, August 27, 2005 8:59 AM Subject: Re: [ActiveDir] Password policy change Nevermind OWA = Outlook Web Access On 8/26/05 3:39 PM, Figueroa, Johnny [EMAIL PROTECTED] wrote: I mean, if I use the check box to user must change password at next logon our users whose only way into the domain is OWA will not prompt them to change their password... Unless I am missing something. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support Sent: Friday, August 26, 2005 3:19 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Password policy change Johnny, We do exactly what you suggest, change the password and set the user must change password at next logon and they are able to change it, even within the password cannot be changed period. What do you mean by that would effectively lock out the OWA only users? Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtml ADM Template Editor:- http
RE: [ActiveDir] Password policy change
That should work. :-) There are actually many web-, phone- and login-prompt- accessible password change/synchronization/reset applications out there, some of which support password updates to multiple types of systems, rather than just AD. PROMOTIONAL ALERT - CLOSE YOUR EYES TO AVOID ADVERTISING One such is http://psynch.com/ /PROMOTIONAL ALERT - COULDN'T HELP MYSELF Linking one of these to OWA should be trivial. With this product, and probably others, you should have no trouble detecting password expiry and bouncing the user to the 'change now' page either. Good luck, -- Idan On Mon, 29 Aug 2005, Cothern Jeff D. Team EITC wrote: I have a possible solution for the OWA users. I havent used this particular software but we use one of their other products and it works well. I'll let the website speak for itself. But I believe this would provide a means via the web for your users to change their passwords. http://www.anixis.com/products/ppeweb/default.htm Jeff Cothern -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: Monday, August 29, 2005 4:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Password policy change OWA doesn't have a built in password change function but you can activate the standard IIS password changing module called iisadmpwd which is placed in the options section of the OWA interface. However if the password has expired you be out of luck. Once article that covers this is: http://support.microsoft.com/default.aspx?scid=kb;en-us;297121 Regards Peter Johnson -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 27 August 2005 08:16 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Password policy change Yep, OWA is Outlook Web Access. If you haven't seen it, it is gorgeous in Exchange 2003. It looks almost exactly like Outlook. Unfortunately, if your password is expired (forced or otherwise) you aren't getting into OWA. I also don't believe it has a password change function if you just want to go and change it, but that could be something that could be enabled. Alternatively you set up another web page to do it. As for the OPs original issue. It all comes down to implementation. You told the system to not allow people to change the password if the password age was less than one day and then were confused when it did exactly that. The reason for it is that there is one attribute for password age, pwdLastSet, and it doesn't distinguish between a helpdesk set operation or a normal password change, they are both password changes and you only want one day between every change. The proper way to handle that case is to force the user's to change their password on next logon (which sets the pwdLastSet to 0), but as you know, that will kill OWA users. So you either need another process to follow for OWA only users, install some third party or custom inhouse tool, or drop the minimum password aging. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support Sent: Saturday, August 27, 2005 12:09 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Password policy change Your right Aaron, I didn't know what it meant.! I am not an outlook sort of person (we use Notes...), but the inferred statement surprises me. It suggests that if the must change password is set, you can't logon to Outlook Web Access. This would suggest that forcing users to change password after (say) 28 days is also a no-no. And, it would also suggest that Outlook Web Access won't let you change your password. If it did, it would surely allow you to logon, then require you to change the password before you do anything.. This all seems unlikely, given Microsoft's recommended use of forcing password changes on a regular basis and forcing users to change a password when a new user is created. If it is all true, maybe you have to provide some way that the users can go to a Citrix portal and change their password there, then go back and use Outlook Web Access. Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedirf=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.shtml - Original Message - From: Aaron Visser [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, August 27, 2005 8:59 AM Subject: Re: [ActiveDir] Password policy change Nevermind OWA = Outlook Web Access On 8/26/05 3:39 PM, Figueroa, Johnny [EMAIL PROTECTED] wrote: I mean, if I use the check box to user must change password at next logon our users whose only way into the domain is OWA will not prompt them to change their password... Unless I am missing something. Thanks -Original
RE: FW: [Fwd: RE: [ActiveDir] Password policy change]
Yep - I've been through this just of late. If the Change at next logon is set, IIS doesn't have that level of function to allow this to take palce through the current functions. Rick -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: Saturday, August 27, 2005 5:04 PM To: ActiveDir@mail.activedir.org Subject: Re: FW: [Fwd: RE: [ActiveDir] Password policy change] Yes that enables the password change functionality through OWA, but I don't believe that will help this particular situation. When you set the User Must Change Password at Next Logon bit then logon to OWA I don't think OWA will dump you to a password change screen. That Password Change screen is only something you can access once in OWA as far as I know. To address the question about password expiry and OWA users, when you log in with OWA it will tell you that your password is getting close to expiring so it gives you a heads up that you need to change your password soon, whether that is through the IIS Password change tool or some other password change facility. Phil On 8/27/05, joe [EMAIL PROTECTED] wrote: From a shy lurker MVP It appears it is something you can enable. It isn't strictly part of OWA but the old IIS Password change tool. I recall there being issues with that tool and that is why they stopped enabling it by default but can't recall what they were this late at night or this early in the morning whatever it may be. ;o) Thanks for the assist Mom. :) -Original Message- Sent: Saturday, August 27, 2005 2:24 AM To: [EMAIL PROTECTED] Subject: [Fwd: RE: [ActiveDir] Password policy change] http://www.petri.co.il/enable_password_changing_through_owa_in_exchange_2003 .htm Original Message Subject:RE: [ActiveDir] Password policy change Date: Sat, 27 Aug 2005 02:16:14 -0400 From: joe [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Yep, OWA is Outlook Web Access. If you haven't seen it, it is gorgeous in Exchange 2003. It looks almost exactly like Outlook. Unfortunately, if your password is expired (forced or otherwise) you aren't getting into OWA. I also don't believe it has a password change function if you just want to go and change it, but that could be something that could be enabled. Alternatively you set up another web page to do it. As for the OPs original issue. It all comes down to implementation. You told the system to not allow people to change the password if the password age was less than one day and then were confused when it did exactly that. The reason for it is that there is one attribute for password age, pwdLastSet, and it doesn't distinguish between a helpdesk set operation or a normal password change, they are both password changes and you only want one day between every change. The proper way to handle that case is to force the user's to change their password on next logon (which sets the pwdLastSet to 0), but as you know, that will kill OWA users. So you either need another process to follow for OWA only users, install some third party or custom inhouse tool, or drop the minimum password aging. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support Sent: Saturday, August 27, 2005 12:09 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Password policy change Your right Aaron, I didn't know what it meant.! I am not an outlook sort of person (we use Notes...), but the inferred statement surprises me. It suggests that if the must change password is set, you can't logon to Outlook Web Access. This would suggest that forcing users to change password after (say) 28 days is also a no-no. And, it would also suggest that Outlook Web Access won't let you change your password. If it did, it would surely allow you to logon, then require you to change the password before you do anything.. This all seems unlikely, given Microsoft's recommended use of forcing password changes on a regular basis and forcing users to change a password when a new user is created. If it is all true, maybe you have to provide some way that the users can go to a Citrix portal and change their password there, then go back and use Outlook Web Access. Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedirf=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.shtml - Original Message - From: Aaron Visser [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, August 27, 2005 8:59 AM Subject: Re: [ActiveDir] Password policy change
RE: [ActiveDir] Password policy change
Yep, OWA is Outlook Web Access. If you haven't seen it, it is gorgeous in Exchange 2003. It looks almost exactly like Outlook. Unfortunately, if your password is expired (forced or otherwise) you aren't getting into OWA. I also don't believe it has a password change function if you just want to go and change it, but that could be something that could be enabled. Alternatively you set up another web page to do it. As for the OPs original issue. It all comes down to implementation. You told the system to not allow people to change the password if the password age was less than one day and then were confused when it did exactly that. The reason for it is that there is one attribute for password age, pwdLastSet, and it doesn't distinguish between a helpdesk set operation or a normal password change, they are both password changes and you only want one day between every change. The proper way to handle that case is to force the user's to change their password on next logon (which sets the pwdLastSet to 0), but as you know, that will kill OWA users. So you either need another process to follow for OWA only users, install some third party or custom inhouse tool, or drop the minimum password aging. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support Sent: Saturday, August 27, 2005 12:09 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Password policy change Your right Aaron, I didn't know what it meant.! I am not an outlook sort of person (we use Notes...), but the inferred statement surprises me. It suggests that if the must change password is set, you can't logon to Outlook Web Access. This would suggest that forcing users to change password after (say) 28 days is also a no-no. And, it would also suggest that Outlook Web Access won't let you change your password. If it did, it would surely allow you to logon, then require you to change the password before you do anything.. This all seems unlikely, given Microsoft's recommended use of forcing password changes on a regular basis and forcing users to change a password when a new user is created. If it is all true, maybe you have to provide some way that the users can go to a Citrix portal and change their password there, then go back and use Outlook Web Access. Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedirf=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.shtml - Original Message - From: Aaron Visser [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, August 27, 2005 8:59 AM Subject: Re: [ActiveDir] Password policy change Nevermind OWA = Outlook Web Access On 8/26/05 3:39 PM, Figueroa, Johnny [EMAIL PROTECTED] wrote: I mean, if I use the check box to user must change password at next logon our users whose only way into the domain is OWA will not prompt them to change their password... Unless I am missing something. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support Sent: Friday, August 26, 2005 3:19 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Password policy change Johnny, We do exactly what you suggest, change the password and set the user must change password at next logon and they are able to change it, even within the password cannot be changed period. What do you mean by that would effectively lock out the OWA only users? Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedirf=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.shtml - Original Message - From: Figueroa, Johnny [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, August 27, 2005 2:56 AM Subject: RE: [ActiveDir] Password policy change Help desk sets he password to something something, tells the user to change their password to whatever they want it to be and the user can not. I thought about having the HD check the box that makes it so the user has to change the password the next time they log in but I think that would effectively lock out the OWA only users. The point is that the HD gets the user going by setting the password to something generic, then the user is supposed to change it to whatever they want to keep. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, August 26, 2005 9:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Password policy change Which part is not working and how is it not working? Sincerely, Dèjì
FW: [Fwd: RE: [ActiveDir] Password policy change]
From a shy lurker MVP It appears it is something you can enable. It isn't strictly part of OWA but the old IIS Password change tool. I recall there being issues with that tool and that is why they stopped enabling it by default but can't recall what they were this late at night or this early in the morning whatever it may be. ;o) Thanks for the assist Mom. :) -Original Message- Sent: Saturday, August 27, 2005 2:24 AM To: [EMAIL PROTECTED] Subject: [Fwd: RE: [ActiveDir] Password policy change] http://www.petri.co.il/enable_password_changing_through_owa_in_exchange_2003 .htm Original Message Subject:RE: [ActiveDir] Password policy change Date: Sat, 27 Aug 2005 02:16:14 -0400 From: joe [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Yep, OWA is Outlook Web Access. If you haven't seen it, it is gorgeous in Exchange 2003. It looks almost exactly like Outlook. Unfortunately, if your password is expired (forced or otherwise) you aren't getting into OWA. I also don't believe it has a password change function if you just want to go and change it, but that could be something that could be enabled. Alternatively you set up another web page to do it. As for the OPs original issue. It all comes down to implementation. You told the system to not allow people to change the password if the password age was less than one day and then were confused when it did exactly that. The reason for it is that there is one attribute for password age, pwdLastSet, and it doesn't distinguish between a helpdesk set operation or a normal password change, they are both password changes and you only want one day between every change. The proper way to handle that case is to force the user's to change their password on next logon (which sets the pwdLastSet to 0), but as you know, that will kill OWA users. So you either need another process to follow for OWA only users, install some third party or custom inhouse tool, or drop the minimum password aging. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support Sent: Saturday, August 27, 2005 12:09 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Password policy change Your right Aaron, I didn't know what it meant.! I am not an outlook sort of person (we use Notes...), but the inferred statement surprises me. It suggests that if the must change password is set, you can't logon to Outlook Web Access. This would suggest that forcing users to change password after (say) 28 days is also a no-no. And, it would also suggest that Outlook Web Access won't let you change your password. If it did, it would surely allow you to logon, then require you to change the password before you do anything.. This all seems unlikely, given Microsoft's recommended use of forcing password changes on a regular basis and forcing users to change a password when a new user is created. If it is all true, maybe you have to provide some way that the users can go to a Citrix portal and change their password there, then go back and use Outlook Web Access. Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedirf=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.shtml - Original Message - From: Aaron Visser [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, August 27, 2005 8:59 AM Subject: Re: [ActiveDir] Password policy change Nevermind OWA = Outlook Web Access On 8/26/05 3:39 PM, Figueroa, Johnny [EMAIL PROTECTED] wrote: I mean, if I use the check box to user must change password at next logon our users whose only way into the domain is OWA will not prompt them to change their password... Unless I am missing something. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support Sent: Friday, August 26, 2005 3:19 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Password policy change Johnny, We do exactly what you suggest, change the password and set the user must change password at next logon and they are able to change it, even within the password cannot be changed period. What do you mean by that would effectively lock out the OWA only users? Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedirf=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.sht ml - Original Message - From: Figueroa, Johnny [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, August 27, 2005 2:56 AM Subject: RE
RE: [Fwd: RE: [ActiveDir] Password policy change]
The original Password Change functionality used HTRs, and there was a buffer overflow vulnerability in the ISAPI Extension that handled HTRs (ism.dll). There's a download on the MS Downloads page that substitutes ASP pages: http://support.microsoft.com/?id=331834 Change password functionality replaced with Active Server Pages Cheers Ken : -Original Message- : From: [EMAIL PROTECTED] [mailto:ActiveDir- : [EMAIL PROTECTED] On Behalf Of joe : Sent: Saturday, 27 August 2005 5:08 PM : To: ActiveDir@mail.activedir.org : Subject: FW: [Fwd: RE: [ActiveDir] Password policy change] : : From a shy lurker MVP : : It appears it is something you can enable. It isn't strictly part of OWA : but : the old IIS Password change tool. I recall there being issues with that : tool : and that is why they stopped enabling it by default but can't recall what : they were this late at night or this early in the morning whatever it may : be. ;o) : : Thanks for the assist Mom. :) : : : : -Original Message- : Sent: Saturday, August 27, 2005 2:24 AM : To: [EMAIL PROTECTED] : Subject: [Fwd: RE: [ActiveDir] Password policy change] : : http://www.petri.co.il/enable_password_changing_through_owa_in_exchange_20 : 03 : .htm : : : Original Message : Subject: RE: [ActiveDir] Password policy change : Date: Sat, 27 Aug 2005 02:16:14 -0400 : From: joe [EMAIL PROTECTED] : Reply-To: ActiveDir@mail.activedir.org : To: ActiveDir@mail.activedir.org : : : : Yep, OWA is Outlook Web Access. If you haven't seen it, it is gorgeous in : Exchange 2003. It looks almost exactly like Outlook. Unfortunately, if : your : password is expired (forced or otherwise) you aren't getting into OWA. I : also don't believe it has a password change function if you just want to : go : and change it, but that could be something that could be enabled. : Alternatively you set up another web page to do it. : : As for the OPs original issue. It all comes down to implementation. You : told : the system to not allow people to change the password if the password age : was less than one day and then were confused when it did exactly that. The : reason for it is that there is one attribute for password age, pwdLastSet, : and it doesn't distinguish between a helpdesk set operation or a normal : password change, they are both password changes and you only want one day : between every change. The proper way to handle that case is to force the : user's to change their password on next logon (which sets the pwdLastSet : to : 0), but as you know, that will kill OWA users. So you either need another : process to follow for OWA only users, install some third party or custom : inhouse tool, or drop the minimum password aging. : :joe : : : -Original Message- : From: [EMAIL PROTECTED] : [mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support : Sent: Saturday, August 27, 2005 12:09 AM : To: ActiveDir@mail.activedir.org : Subject: Re: [ActiveDir] Password policy change : : Your right Aaron, I didn't know what it meant.! : : I am not an outlook sort of person (we use Notes...), but the inferred : statement surprises me. It suggests that if the must change password is : set, you can't logon to Outlook Web Access. : : This would suggest that forcing users to change password after (say) 28 : days : is also a no-no. : : And, it would also suggest that Outlook Web Access won't let you change : your : password. If it did, it would surely allow you to logon, then require you : to : change the password before you do anything.. : : This all seems unlikely, given Microsoft's recommended use of forcing : password changes on a regular basis and forcing users to change a password : when a new user is created. : : If it is all true, maybe you have to provide some way that the users can : go : to a Citrix portal and change their password there, then go back and use : Outlook Web Access. : : Alan Cuthbertson : : : Policy Management Software:- : http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtml : ADM Template Editor:- : http://www.sysprosoft.com/index.php?ref=activedirf=adm_summary.shtml : Policy Log Reporter(Free) : http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.shtml : : : : : - Original Message - : From: Aaron Visser [EMAIL PROTECTED] : To: ActiveDir@mail.activedir.org : Sent: Saturday, August 27, 2005 8:59 AM : Subject: Re: [ActiveDir] Password policy change : : : Nevermind OWA = Outlook Web Access : : : On 8/26/05 3:39 PM, Figueroa, Johnny [EMAIL PROTECTED] : wrote: : : : I mean, if I use the check box to user must change password at next : logon : our users whose only way into the domain is OWA will not prompt them : to : change : their password... Unless I am missing something. : : Thanks : : -Original Message- : From: [EMAIL PROTECTED] : [mailto:[EMAIL PROTECTED] On Behalf Of SysPro : Support : Sent: Friday, August 26, 2005
Re: FW: [Fwd: RE: [ActiveDir] Password policy change]
Yes that enables the password change functionality through OWA, but I don't believe that will help this particular situation. When you set the User Must Change Password at Next Logon bit then logon to OWA I don't think OWA will dump you to a password change screen. That Password Change screen is only something you can access once in OWA as far as I know. To address the question about password expiry and OWA users, when you log in with OWA it will tell you that your password is getting close to expiring so it gives you a heads up that you need to change your password soon, whether that is through the IIS Password change tool or some other password change facility. Phil On 8/27/05, joe [EMAIL PROTECTED] wrote: From a shy lurker MVP It appears it is something you can enable. It isn't strictly part of OWA but the old IIS Password change tool. I recall there being issues with that tool and that is why they stopped enabling it by default but can't recall what they were this late at night or this early in the morning whatever it may be. ;o) Thanks for the assist Mom. :) -Original Message- Sent: Saturday, August 27, 2005 2:24 AM To: [EMAIL PROTECTED] Subject: [Fwd: RE: [ActiveDir] Password policy change] http://www.petri.co.il/enable_password_changing_through_owa_in_exchange_2003 .htm Original Message Subject:RE: [ActiveDir] Password policy change Date: Sat, 27 Aug 2005 02:16:14 -0400 From: joe [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Yep, OWA is Outlook Web Access. If you haven't seen it, it is gorgeous in Exchange 2003. It looks almost exactly like Outlook. Unfortunately, if your password is expired (forced or otherwise) you aren't getting into OWA. I also don't believe it has a password change function if you just want to go and change it, but that could be something that could be enabled. Alternatively you set up another web page to do it. As for the OPs original issue. It all comes down to implementation. You told the system to not allow people to change the password if the password age was less than one day and then were confused when it did exactly that. The reason for it is that there is one attribute for password age, pwdLastSet, and it doesn't distinguish between a helpdesk set operation or a normal password change, they are both password changes and you only want one day between every change. The proper way to handle that case is to force the user's to change their password on next logon (which sets the pwdLastSet to 0), but as you know, that will kill OWA users. So you either need another process to follow for OWA only users, install some third party or custom inhouse tool, or drop the minimum password aging. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support Sent: Saturday, August 27, 2005 12:09 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Password policy change Your right Aaron, I didn't know what it meant.! I am not an outlook sort of person (we use Notes...), but the inferred statement surprises me. It suggests that if the must change password is set, you can't logon to Outlook Web Access. This would suggest that forcing users to change password after (say) 28 days is also a no-no. And, it would also suggest that Outlook Web Access won't let you change your password. If it did, it would surely allow you to logon, then require you to change the password before you do anything.. This all seems unlikely, given Microsoft's recommended use of forcing password changes on a regular basis and forcing users to change a password when a new user is created. If it is all true, maybe you have to provide some way that the users can go to a Citrix portal and change their password there, then go back and use Outlook Web Access. Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedirf=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.shtml - Original Message - From: Aaron Visser [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, August 27, 2005 8:59 AM Subject: Re: [ActiveDir] Password policy change Nevermind OWA = Outlook Web Access On 8/26/05 3:39 PM, Figueroa, Johnny [EMAIL PROTECTED] wrote: I mean, if I use the check box to user must change password at next logon our users whose only way into the domain is OWA will not prompt them to change their password... Unless I am missing something. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support Sent: Friday, August 26, 2005 3:19 PM To: ActiveDir
RE: [ActiveDir] Password policy change
Not if you keep the password can not be changed for one day. Unless you have the user come to your helpdesk and change it thru the admin tool. Otherwise they will not be able to change their password cause the Age is not past 24 hours. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: Friday, August 26, 2005 12:34 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Password policy change Good morning folks, yesterday I changed the domain password security to retain password history for 5 passwords and the password can not be changed for one day. Our help desk used to set passwords to a default value when they got a call from a user and then tell the user to change it to something they want. It looks like that is not working for them Is there anyway around this ? Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Password policy change
Which part is not working and how is it not working? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Figueroa, Johnny Sent: Fri 8/26/2005 9:34 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Password policy change Good morning folks, yesterday I changed the domain password security to retain password history for 5 passwords and the password can not be changed for one day. Our help desk used to set passwords to a default value when they got a call from a user and then tell the user to change it to something they want. It looks like that is not working for them Is there anyway around this ? Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Password policy change
Help desk sets he password to something something, tells the user to change their password to whatever they want it to be and the user can not. I thought about having the HD check the box that makes it so the user has to change the password the next time they log in but I think that would effectively lock out the OWA only users. The point is that the HD gets the user going by setting the password to something generic, then the user is supposed to change it to whatever they want to keep. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, August 26, 2005 9:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Password policy change Which part is not working and how is it not working? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Figueroa, Johnny Sent: Fri 8/26/2005 9:34 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Password policy change Good morning folks, yesterday I changed the domain password security to retain password history for 5 passwords and the password can not be changed for one day. Our help desk used to set passwords to a default value when they got a call from a user and then tell the user to change it to something they want. It looks like that is not working for them Is there anyway around this ? Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Password policy change
The HD needs to make their change 24 hours before they let the user know that the account is ready. -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On 8/26/05, Figueroa, Johnny [EMAIL PROTECTED] wrote: Help desk sets he password to something something, tells the user to change their password to whatever they want it to be and the user can not. I thought about having the HD check the box that makes it so the user has to change the password the next time they log in but I think that would effectively lock out the OWA only users. The point is that the HD gets the user going by setting the password to something generic, then the user is supposed to change it to whatever they want to keep. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, August 26, 2005 9:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Password policy change Which part is not working and how is it not working? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Figueroa, Johnny Sent: Fri 8/26/2005 9:34 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Password policy change Good morning folks, yesterday I changed the domain password security to retain password history for 5 passwords and the password can not be changed for one day. Our help desk used to set passwords to a default value when they got a call from a user and then tell the user to change it to something they want. It looks like that is not working for them Is there anyway around this ? Thanks Johnny Figueroa List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Password policy change
As others have pointed out, modify your policy to remove the 24-hour (one day) restriction. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Figueroa, Johnny Sent: Fri 8/26/2005 9:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Password policy change Help desk sets he password to something something, tells the user to change their password to whatever they want it to be and the user can not. I thought about having the HD check the box that makes it so the user has to change the password the next time they log in but I think that would effectively lock out the OWA only users. The point is that the HD gets the user going by setting the password to something generic, then the user is supposed to change it to whatever they want to keep. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, August 26, 2005 9:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Password policy change Which part is not working and how is it not working? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Figueroa, Johnny Sent: Fri 8/26/2005 9:34 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Password policy change Good morning folks, yesterday I changed the domain password security to retain password history for 5 passwords and the password can not be changed for one day. Our help desk used to set passwords to a default value when they got a call from a user and then tell the user to change it to something they want. It looks like that is not working for them Is there anyway around this ? Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Password policy change
Like Jeff said, if you keep the Password can not be changed for 1 day setting then this will not work. The helpdesk changing the password means that it can not be changed again for the next 24 hours. In your scenario the users will have to wait 24 hours to change their password, or you will need to turn that option off. Phil On 8/26/05, Figueroa, Johnny [EMAIL PROTECTED] wrote: Help desk sets he password to something something, tells the user to change their password to whatever they want it to be and the user can not. I thought about having the HD check the box that makes it so the user has to change the password the next time they log in but I think that would effectively lock out the OWA only users. The point is that the HD gets the user going by setting the password to something generic, then the user is supposed to change it to whatever they want to keep. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, August 26, 2005 9:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Password policy change Which part is not working and how is it not working? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Figueroa, Johnny Sent: Fri 8/26/2005 9:34 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Password policy change Good morning folks, yesterday I changed the domain password security to retain password history for 5 passwords and the password can not be changed for one day. Our help desk used to set passwords to a default value when they got a call from a user and then tell the user to change it to something they want. It looks like that is not working for them Is there anyway around this ? Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Password policy change
Thank you all, just wanted to ask the geniuses before I closed the door on it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: Friday, August 26, 2005 10:23 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Password policy change Like Jeff said, if you keep the Password can not be changed for 1 day setting then this will not work. The helpdesk changing the password means that it can not be changed again for the next 24 hours. In your scenario the users will have to wait 24 hours to change their password, or you will need to turn that option off. Phil On 8/26/05, Figueroa, Johnny [EMAIL PROTECTED] wrote: Help desk sets he password to something something, tells the user to change their password to whatever they want it to be and the user can not. I thought about having the HD check the box that makes it so the user has to change the password the next time they log in but I think that would effectively lock out the OWA only users. The point is that the HD gets the user going by setting the password to something generic, then the user is supposed to change it to whatever they want to keep. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, August 26, 2005 9:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Password policy change Which part is not working and how is it not working? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Figueroa, Johnny Sent: Fri 8/26/2005 9:34 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Password policy change Good morning folks, yesterday I changed the domain password security to retain password history for 5 passwords and the password can not be changed for one day. Our help desk used to set passwords to a default value when they got a call from a user and then tell the user to change it to something they want. It looks like that is not working for them Is there anyway around this ? Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Password policy change
I mean, if I use the check box to user must change password at next logon our users whose only way into the domain is OWA will not prompt them to change their password... Unless I am missing something. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support Sent: Friday, August 26, 2005 3:19 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Password policy change Johnny, We do exactly what you suggest, change the password and set the user must change password at next logon and they are able to change it, even within the password cannot be changed period. What do you mean by that would effectively lock out the OWA only users? Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedirf=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.shtml - Original Message - From: Figueroa, Johnny [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, August 27, 2005 2:56 AM Subject: RE: [ActiveDir] Password policy change Help desk sets he password to something something, tells the user to change their password to whatever they want it to be and the user can not. I thought about having the HD check the box that makes it so the user has to change the password the next time they log in but I think that would effectively lock out the OWA only users. The point is that the HD gets the user going by setting the password to something generic, then the user is supposed to change it to whatever they want to keep. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, August 26, 2005 9:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Password policy change Which part is not working and how is it not working? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Figueroa, Johnny Sent: Fri 8/26/2005 9:34 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Password policy change Good morning folks, yesterday I changed the domain password security to retain password history for 5 passwords and the password can not be changed for one day. Our help desk used to set passwords to a default value when they got a call from a user and then tell the user to change it to something they want. It looks like that is not working for them Is there anyway around this ? Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Password policy change
Johnny, We do exactly what you suggest, change the password and set the user must change password at next logon and they are able to change it, even within the password cannot be changed period. What do you mean by that would effectively lock out the OWA only users? Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedirf=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.shtml - Original Message - From: Figueroa, Johnny [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, August 27, 2005 2:56 AM Subject: RE: [ActiveDir] Password policy change Help desk sets he password to something something, tells the user to change their password to whatever they want it to be and the user can not. I thought about having the HD check the box that makes it so the user has to change the password the next time they log in but I think that would effectively lock out the OWA only users. The point is that the HD gets the user going by setting the password to something generic, then the user is supposed to change it to whatever they want to keep. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, August 26, 2005 9:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Password policy change Which part is not working and how is it not working? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Figueroa, Johnny Sent: Fri 8/26/2005 9:34 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Password policy change Good morning folks, yesterday I changed the domain password security to retain password history for 5 passwords and the password can not be changed for one day. Our help desk used to set passwords to a default value when they got a call from a user and then tell the user to change it to something they want. It looks like that is not working for them Is there anyway around this ? Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Password policy change
I think he wants to know what is OWA or at least I want to know :) On 8/26/05 3:39 PM, Figueroa, Johnny [EMAIL PROTECTED] wrote: I mean, if I use the check box to user must change password at next logon our users whose only way into the domain is OWA will not prompt them to change their password... Unless I am missing something. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support Sent: Friday, August 26, 2005 3:19 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Password policy change Johnny, We do exactly what you suggest, change the password and set the user must change password at next logon and they are able to change it, even within the password cannot be changed period. What do you mean by that would effectively lock out the OWA only users? Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedirf=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.shtml - Original Message - From: Figueroa, Johnny [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, August 27, 2005 2:56 AM Subject: RE: [ActiveDir] Password policy change Help desk sets he password to something something, tells the user to change their password to whatever they want it to be and the user can not. I thought about having the HD check the box that makes it so the user has to change the password the next time they log in but I think that would effectively lock out the OWA only users. The point is that the HD gets the user going by setting the password to something generic, then the user is supposed to change it to whatever they want to keep. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, August 26, 2005 9:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Password policy change Which part is not working and how is it not working? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Figueroa, Johnny Sent: Fri 8/26/2005 9:34 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Password policy change Good morning folks, yesterday I changed the domain password security to retain password history for 5 passwords and the password can not be changed for one day. Our help desk used to set passwords to a default value when they got a call from a user and then tell the user to change it to something they want. It looks like that is not working for them Is there anyway around this ? Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Password policy change
Nevermind OWA = Outlook Web Access On 8/26/05 3:39 PM, Figueroa, Johnny [EMAIL PROTECTED] wrote: I mean, if I use the check box to user must change password at next logon our users whose only way into the domain is OWA will not prompt them to change their password... Unless I am missing something. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support Sent: Friday, August 26, 2005 3:19 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Password policy change Johnny, We do exactly what you suggest, change the password and set the user must change password at next logon and they are able to change it, even within the password cannot be changed period. What do you mean by that would effectively lock out the OWA only users? Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedirf=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.shtml - Original Message - From: Figueroa, Johnny [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, August 27, 2005 2:56 AM Subject: RE: [ActiveDir] Password policy change Help desk sets he password to something something, tells the user to change their password to whatever they want it to be and the user can not. I thought about having the HD check the box that makes it so the user has to change the password the next time they log in but I think that would effectively lock out the OWA only users. The point is that the HD gets the user going by setting the password to something generic, then the user is supposed to change it to whatever they want to keep. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, August 26, 2005 9:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Password policy change Which part is not working and how is it not working? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Figueroa, Johnny Sent: Fri 8/26/2005 9:34 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Password policy change Good morning folks, yesterday I changed the domain password security to retain password history for 5 passwords and the password can not be changed for one day. Our help desk used to set passwords to a default value when they got a call from a user and then tell the user to change it to something they want. It looks like that is not working for them Is there anyway around this ? Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Password policy change
Your right Aaron, I didn't know what it meant.! I am not an outlook sort of person (we use Notes...), but the inferred statement surprises me. It suggests that if the must change password is set, you can't logon to Outlook Web Access. This would suggest that forcing users to change password after (say) 28 days is also a no-no. And, it would also suggest that Outlook Web Access won't let you change your password. If it did, it would surely allow you to logon, then require you to change the password before you do anything.. This all seems unlikely, given Microsoft's recommended use of forcing password changes on a regular basis and forcing users to change a password when a new user is created. If it is all true, maybe you have to provide some way that the users can go to a Citrix portal and change their password there, then go back and use Outlook Web Access. Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedirf=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.shtml - Original Message - From: Aaron Visser [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, August 27, 2005 8:59 AM Subject: Re: [ActiveDir] Password policy change Nevermind OWA = Outlook Web Access On 8/26/05 3:39 PM, Figueroa, Johnny [EMAIL PROTECTED] wrote: I mean, if I use the check box to user must change password at next logon our users whose only way into the domain is OWA will not prompt them to change their password... Unless I am missing something. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support Sent: Friday, August 26, 2005 3:19 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Password policy change Johnny, We do exactly what you suggest, change the password and set the user must change password at next logon and they are able to change it, even within the password cannot be changed period. What do you mean by that would effectively lock out the OWA only users? Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedirf=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.shtml - Original Message - From: Figueroa, Johnny [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, August 27, 2005 2:56 AM Subject: RE: [ActiveDir] Password policy change Help desk sets he password to something something, tells the user to change their password to whatever they want it to be and the user can not. I thought about having the HD check the box that makes it so the user has to change the password the next time they log in but I think that would effectively lock out the OWA only users. The point is that the HD gets the user going by setting the password to something generic, then the user is supposed to change it to whatever they want to keep. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, August 26, 2005 9:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Password policy change Which part is not working and how is it not working? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Figueroa, Johnny Sent: Fri 8/26/2005 9:34 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Password policy change Good morning folks, yesterday I changed the domain password security to retain password history for 5 passwords and the password can not be changed for one day. Our help desk used to set passwords to a default value when they got a call from a user and then tell the user to change it to something they want. It looks like that is not working for them Is there anyway around this ? Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited
