Windows 2003 Password Expiration

M

Mike Bazelon

I have a new Windows 2003 server which I migrated users from Novell
using MS services for netware sp2. The conversion did not have any
issues, but I am having issues with account expiration and lockout.
Accounts seem to expire within 24 hours. I have set the password
never expires check box, checked the global policies, looked through
ADSIedit, and used ALtools to look at the advanced options in the
account. The only option that works is the Account expires option.
If I set that ahead then the users will not see any more errors. Does
anyone have any advise? Thanks for your help.


Mike
 
S

Steven L Umbach

On the domain controller, try using the command "net user username" [substituting
actual username] to see what it reports for a user account as far as expiring when
you have it set to never in the user account properties. Are the accounts themselves
expiring or the passwords or both?? You may also want to check the maximum password
age reported with "net accounts" on the domain controller. Also check that your
account lockout threshold in Domain Security Policy is not too low and keep in mind
that account/password policy can only be set at the domain level for domain users.
Microsoft recommends no less than ten. Old passwords used in Scheduled Tasks and
mapped drives are a common cause of account lockouts. Enabling auditing of logon
events on the users workstations and any servers that they may use may prove helpful
in tracking down lockouts. Auditing should already be enabled on the W2003 domain
controller. Logon events for success and failure are recorded in the security log in
Event Viewer after auditing has been enabled --- Steve
 
S

Steven L Umbach

I should also add to run netdiag and dcdiag on your domain controller first and if
that checks out OK with no failed tests/errors/warnings particularly for dns, dclist,
and domain membership then run netdiag on a couple of your workstations.
Misconfiguration of particularly dns in a W2K/W2003 domain can cause a lot of
problems [domain controller must point to itself and workstations to the DC as
preferred dns server] as can some security options. If that is the case, users may
also be unknowingly be logging on with "cached credentials" which can make it all the
more difficult in tracking down what the problem is. Netdiag and dcdiag are on the
install cd in the support/tools folder where you need to run setup. Make sure you
install the version for the proper operating system as installing the W2K version on
XP Pro or W2003 will not work right. --- Steve


Steven L Umbach said:
On the domain controller, try using the command "net user username" [substituting
actual username] to see what it reports for a user account as far as expiring when
you have it set to never in the user account properties. Are the accounts themselves
expiring or the passwords or both?? You may also want to check the maximum password
age reported with "net accounts" on the domain controller. Also check that your
account lockout threshold in Domain Security Policy is not too low and keep in mind
that account/password policy can only be set at the domain level for domain users.
Microsoft recommends no less than ten. Old passwords used in Scheduled Tasks and
mapped drives are a common cause of account lockouts. Enabling auditing of logon
events on the users workstations and any servers that they may use may prove helpful
in tracking down lockouts. Auditing should already be enabled on the W2003 domain
controller. Logon events for success and failure are recorded in the security log in
Event Viewer after auditing has been enabled --- Steve


Mike Bazelon said:
I have a new Windows 2003 server which I migrated users from Novell
using MS services for netware sp2. The conversion did not have any
issues, but I am having issues with account expiration and lockout.
Accounts seem to expire within 24 hours. I have set the password
never expires check box, checked the global policies, looked through
ADSIedit, and used ALtools to look at the advanced options in the
account. The only option that works is the Account expires option.
If I set that ahead then the users will not see any more errors. Does
anyone have any advise? Thanks for your help.


Mike
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Expiration notification 4
Password Expiration Box 1
Resetting "Password never expires" for all 4
Password Expiration... 1
Password Expiration Not Working... 6
prompt user to change password before expiration 1
Notification about the expiration password 1
password expiration 1

Top