1

When I reset user passwords in Active Directory on Windows Server 2008 or Windows Server 2012 and check the option User must change password at next logon it prevents users from being able to login.

However when I do not check this option and reset their password and unlock their account the users can login successfully. This obviously present a bit of a security issue.

I'm not versed enough in AD to know why this is occurring, has anyone seen this before?

ProfessionalAmateur
  • 917
  • 5
  • 17
  • 26
  • 1
    Please define "prevents users from being able to login": what error, what does or does not happen? Is password complexity enabled? – Ed Fries Jul 23 '13 at 04:55
  • @EdFries - If a user locks their account, they'll call IT for us to unlock them, reset their password, etc... But when I do this and check the option to force them to change it, they are still essentially locked out and cannot login. Same occurs for new users. Ill see if I can get a screenshot when Im back in the office. – ProfessionalAmateur Jul 23 '13 at 05:21
  • We would at least need the error message it gives out to be of any help. It sounds like you might have a credential provider installed too; is this the case? – Falcon Momot Jul 23 '13 at 05:27
  • @FalconMomot - Im not sure what a credential provider is? Im a programmer that helps out the helpdesk people if passwords need to be reset and no one is here, so Im missing a lot of basic AD knowledge. I just know that this feature being broken doesn't make any sense and it can't be a bug in AD. – ProfessionalAmateur Jul 23 '13 at 14:34
  • That is exactly why I asked. Credential providers are the successor to GINA plugins; they modify the login screen in some way. I also wonder what else is in your environment - is something that authenticates against AD repeatedly trying an expired password instead of asking the users to change it? – Falcon Momot Jul 23 '13 at 19:02
  • Different actions & boxes: unlock account & user must change pswd at next logon. Checking "User must change password..." means you must still reset the pswd, give to user, they will be able to logon and THEN they will be forced to change it immediately. Is that not what is happening? – Ed Fries Jul 23 '13 at 19:17
  • @EdFries - Correct that is what I am doing. Resetting their password to "SimplePassword", unlock account, and check box for them to change it immediately upon next successful loging. – ProfessionalAmateur Jul 23 '13 at 19:19
  • @FalconMomot - I will have to check. Our login screens seem stock, we do host our MS Exchange service, so maybe this is it? Still trying hunt down a screenshot of the error. – ProfessionalAmateur Jul 23 '13 at 19:20

3 Answers3

1

The only time I've seen something like this was when we deployed a NAC agent that only allowed certain ports unless the user had logged in. Basically, network services had allowed the ports to log in but were blocking the ports needed to change passwords.

If you're using some kind of similar product, or are otherwise in a similar situation, you'll need to make sure that port 464 is open in addition to the LDAP ports (389 and 636). There's a full list of AD ports here: http://technet.microsoft.com/en-us/library/dd772723%28v=ws.10%29.aspx

Katherine Villyard
  • 18,510
  • 4
  • 36
  • 59
0

Is your domain functional level 2012? Sounds like your password policy has entries defined for password age. (I think 2012 dictates that users must wait 1 day to change their password by default.) You should take a look at your Group Policy password settings.

http://technet.microsoft.com/en-us/library/hh994572(v=ws.10).aspx

DanBig
  • 11,393
  • 1
  • 28
  • 53
  • Forced password changes override this policy. If I recall, the implementation sets passwordLastChanged to -1 to force the change. – Falcon Momot Sep 19 '13 at 17:51
0
  1. Run tsconfig.msc
  2. Right click on the RDP Connection "RDP-Tcp" and click "properties
  3. Under the General tab, change the Security Layer to "RDP Security Layer"
Jacob
  • 443
  • 1
  • 9
  • 23