2 User Login questions

  • Thread starter Thread starter Harry Devine
  • Start date Start date
H

Harry Devine

I have a small AD domain with about 30 users. 2 or 3 of these users cannot
change their password after 90 days when they are prompted to. The error
message that they get is that they are not permitted to change their
password. I, as an administrator, have to change it for them in their
account. These users are part of the Domain Users group (same as everyone
else that does not have this issue), and I don't have any special group
policy setup. How can I determine why these people don't have permission to
change their own passwords?

Second, many of our users do not log off at night when they go home. They
simply lock their workstation and leave. Mainly, they are stubborn about
it, but that's life. Anyway, onto my question. In my case, for example,
when I log in in the morning, I'll get prompted that my password will expire
in X days, would I like to change it? For those that do not log off, is
there a way, either in Group Policy, etc., that these people can get a
notification that their password is due to expire? They are usually forced
to change it once it does expire, and they're not sure why. I know why, but
I'd like to give them some advanced notice that it's due to expire.

Thanks for any help,
Harry
 
I have a response for your second question. Our Default
Domain Group policy is set to notify our users within 5
days that their password will expire.
It has been our experience that it will prompt them even
if their machine is just locked. When they go to unlock
(if the day is within the last 5 days of the password
life), then it will prompt them then. Hope this helps.
 
On your first question, here's a thought ... are the
passwords of these users already expired? If so they
most likely tried to login too many times and the account
will be locked then changes can't be made. When they
call to get their pw reset - give them a "temporary"
password and force them to change it at next logon.
Remember to unlock the account too.
 
Check that the users account properties in AD Users and Computers is not configured
to not allow the user to change their password. If these users are using XP Pro
computers and the W2K computers do not have a problem there could be a conflict with
a Domain Controller Security Option for additional restrictions for anonymous
connections. If set to "no access without explicit anonymous permissions" as shown in
the effective setting of a domain controllers Local Security policy, that can cause
what you described to happen to users on XP pro computers if they have to change
their password before logging on.

You can configure the notification time for password change warning in the Domain
Security Policy [or whatever domain GPO you use to configure account policies] under
security settings/local policies/security options - prompt user to change password
before expiration. By default this is set to 14 days. -- Steve
 
You must log in or register to reply here.

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Expiration notification 4
2003 Group Policy Default Domain Policy 2
Users unable to reset password after password expiry. 2
Maximum password Age, Domain Security Policy 2
Problem with password expirations 2
Do my account policies really work ? 4
You do not have permission to change your password 2
Using Group Policy to define a Password Policy 1

Back
Top