"user must change password at next logon"

[Guest]

When a users password expires, should the "User must change password at next
logon" check box be checked automatically within the users account
properties? Where can I find any information on this process?

Thanks

 

[Steven L Umbach]

I don't believe that would happen. The user however will not be able to
logon again until they change their password. Are you experiencing some
problem?? -- Steve

 

[Guest]

Hi Steve,

There doesn't seem to be a problem but we would like to know the default
behaviour of this setting in case there is any underlying problem with the
network.

The problem is we have an active directory tool called Hyena which allows us
to view user accounts. If we view an account in Hyena that has had their
password expired, the "user must change password at next logon" check box is
selected. However, viewing the account in AD shows the check box is blank.

 

[Steven L Umbach]

I see. The only thing I can think of is that it is not displayed in ADUC and
Hyena possibly reads that information from a user attribute somewhere. I
would contact them and ask why the discrepancy. I don't think there is a
problem with your network as long as users that have expired passwords can
not logon until they change them. Posting in the Active _directory
newsgroup may also get you additional info on your question about the
process the operating system uses to manage expired passwords. --- Steve

 

[Steven L Umbach]

You might also want to try one of the vbs scripts from the scripting center
such as the one for list password attributes to see what it reports for a
user with an expired password. You would need to change the ldap info to
match your user however. You can copy the script to notepad and save it with
a .vbs extension setting the save as type as all files. Then try running it.
If it does not work try cscript first at the command line as in cscript
c:\file.vbs. --- Steve

http://www.microsoft.com/technet/scriptcenter/scripts/ad/users/pwds/default.mspx

 

[Hyena Support]

I wasn't sure if you would contact SystemTools, so I thought that I
could explain a bit.

This problem could be caused by a number of factors, including some
quirky Microsoft designs in AD.

I'll assume that you have your Windows AD domain included in Hyena as a
Windows 200x domain. To verify, just click the first toolbar button,
and click on the domain entry, and verify the domain type. Windows NT
domains use a different protocol than AD, and there is the possibility
that the functions are not property synchronized by Microsoft, so you
might get different results.

When looking at an AD user's properties, Hyena gets the "user must
change password at next logon" by looking at the 'pwdlastset' property.
Its very strange that MIcrosoft chose this property to hold this
information, but that is what they did. You can search MSDN for
'pwdlastset' and get a bit more information on it.

If you right click on a user in Hyena, select Listing Views->User (All)
you will get a list of all of the user's directory attributes and
values. You can also use the new ADSI-Edit like function "Manage
Directory Attributes" if you have v6.5 or later. Either way, look for
the value of the 'pwdlastset' attribute. If the value is zero, then
the user is supposed to change their password at the next logon.

Also, keep in mind that Hyena may be looking at a different domain
controller than ADU&C, and you can always use and get access to the
exact same dialog at ADU&C in Hyena by using the "Shell Properties"
function.

If you want to track this problem down further, please contact
(e-mail address removed)

Thanks

-Kevin Stanush
SystemTools Software Inc.
http://www.systemtools.com