Password Change

[Guest]

I have a couple of users on W2K Pro that when they get the message their
password is about to expire and they change it they get the message again a
couple day later. Anybody else seen this before?

 

[Herb Martin]

I have a couple of users on W2K Pro that when they get the message their
password is about to expire and they change it they get the message again a
couple day later. Anybody else seen this before?

My first thought is a replication problem. (...and
replication problems are usually DNS problems.)

Here's how replication can cause it: User's machine
sets secure channel with DC-b, user logs on gets
message, changes password, DC-b is updated and
replicates to DC-c, DC-d, etc, but misses DC-a
or DC-w.

Next week users machine sets up secure channel
with DC-a and gets challenged -- in this scenario
(if its true) the user will need the OLD password
to get authenticated before changing the password.

In any case, check replication. (And of course
check the GPO settings for password expiration
on the domain.)


DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)

netdiag /fix

....or maybe:

dcdiag /fix

(Win2003 can do this from Support tools):
nltest /dsregdns /serverC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Label domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]

 

[Pegasus \(MVP\)]

I have a couple of users on W2K Pro that when they get the message their
password is about to expire and they change it they get the message again a
couple day later. Anybody else seen this before?

Your first step should be to examine their accounts in detail,
both before they change their passwords and after they have
changed them. Open a Command Prompt, then type this command:

net user %UserName%

What does it say in each case under "Password last set"?

 

[Guest]

For what ever reason I am unable to get that command to work. I also tried
some batch files I found on the knowlege base which didn't work either. We
have 60 people in the building and this happens to two employees regularly
and only rarely with a couple others.

 

[Guest]

I have two DC on a single domain, both DC are W2K. They appear to be working
properly. I did notice that the two employees who are having this problem
often have roaming profiles. Thank you for your reply.

 

[Guest]

Doh! I just worked out that I was running this on the wrong box. It shows
the password being change yesterday and the expiration is set for next month
as it should but it prompted her for a password change this morning.

 

[Guest]

I want to thank both of you for your replies again. My biggest problem is I
am the only IT person here, the director resigned a couple weeks ago and I am
trying to put out 5 fires today by myself. After working out which box is
what I finaly ran net user on both DC and they aggree. Now I'll just have to
wait ans see what happens Monday.

 

[Herb Martin]

I want to thank both of you for your replies again. My biggest problem is I
am the only IT person here, the director resigned a couple weeks ago and I am
trying to put out 5 fires today by myself. After working out which box is
what I finaly ran net user on both DC and they aggree. Now I'll just have to
wait ans see what happens Monday.

Then one of the most important things for you to do is
to check AD and DNS by typing this on each DC:

dcdiag /f:%computername%.txt

....or perhaps...

dcdiag /c /f:%computername%.txt

Review the output for FAIL, WARN, ERROR messages.

 

[Guest]

It appears that dcdiag is only available for 2003.

 

[Guest]

Okay, apparently I am juggling too many balls here ;o)

I got DCdiag to work, the documentation I was reading said it was for 2003
but after looking at the doc again I realize the doc was for 2003 not dcdiag.

I received two errors only, both I expected. IISADMIN and SMTPSVR; which
were turned off by my predecessor.

Starting test: Services
Could not open IISADMIN Service on [XAVIER]:failed with 1060:
The specified service does not exist as an installed service.
Could not open SMTPSVC Service on [XAVIER]:failed with 1060: The
specified service does not exist as an installed service.
......................... SERVER01 failed test Services

All the rest on both DC servers passed. What should I do next?

On both servers I ran ‘net user’ and it said the password doesn’t expire
until next month but this morning the employee was prompt to change the
password again. I ran a virus and spyware check which found nothing.

 

[Herb Martin]

It appears that dcdiag is only available for 2003.

That is incorrect.

On Win2000 it is in Support Tools. (Server CD.)
(Same place as Win2003.)

 

[Herb Martin]

Okay, apparently I am juggling too many balls here ;o)

I got DCdiag to work, the documentation I was reading said it was for 2003
but after looking at the doc again I realize the doc was for 2003 not dcdiag.

I received two errors only, both I expected. IISADMIN and SMTPSVR; which
were turned off by my predecessor.

Starting test: Services
Could not open IISADMIN Service on [XAVIER]:failed with 1060:
The specified service does not exist as an installed service.
Could not open SMTPSVC Service on [XAVIER]:failed with 1060: The
specified service does not exist as an installed service.
......................... SERVER01 failed test Services

All the rest on both DC servers passed. What should I do next?

On both servers I ran 'net user' and it said the password doesn't expire
until next month but this morning the employee was prompt to change the
password again. I ran a virus and spyware check which found nothing.

Run NLTest (Support tools) and see which DC is
authenticating the client machine. Or look at:

set logonserver

....for that DC name.

If DCDiag is giving no replication errors for ALL DCs
then I am not sure what to tell you.

Except maybe look even more closely at replication with
ReplMon and RepAdmin.