2

Our Help Desk has been resetting user passwords with "user must reset password at next logon" for years.

Recently reset default domain policy for "minimum password age" from 0 days to 5 days.

Now when Help Desk resets user password with user must reset password selected the end user receives a denied message because password was reset in less than 5 days.

Searches only reveal how to delegate permissions to reset password which has been done. Appears the helpdesk change of the password flags the password reset the same as if the user reset the password themselves.

Any clues?

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
Larwills
  • 21
  • 1
  • 1
  • 2

1 Answers1

5

That's not how it works - the 'user must change password at next login' flag 0s out the pwdLastSet attribute, so that the user is forced to change at next login.

When this happens, there's no timestamp, so the minimum age requirement is always considered to be met. You can test this by changing your own password, then (without logging out) checking the 'must change password at next login' box on your account, then changing your own password again. It'll work, since the timestamp of your previous password change is wiped away by forcing the change.

What's really happening (and the help desk is misleading you about) is that they're resetting the passwords without setting the 'must change password at next login' flag. The pwdLastSet timestamp is then set based on the password change that the help desk implemented, and the user can't change the password.

If this password policy is set, then your help desk will need to be trained to always set the flag - and that failure to do so will result in user complaints.

Shane Madden
  • 112,982
  • 12
  • 174
  • 248
  • Thank you Shane, if the "User must change password at next login" is supposed to reset the password last set to 0 that gives me a place to look. What is occurring is the must change password is set, the user gets the prompt that must change their password and when attempting to change the password they receive the error – Larwills Jul 08 '14 at 18:42
  • @Larwills That wouldn't be an error from the age control, then - probably a complexity or history violation. – Shane Madden Jul 08 '14 at 18:47
  • @Shane Madden: That seems backwards. Setting pwdLastSet to zero sets the ADS_UF_PASSWORD_EXPIRED flag in UserAccountControl. That flag is read only and is only set by the system. http://msdn.microsoft.com/en-us/library/aa772300%28v=vs.85%29.aspx. They may be setting pwdLastSet to zero first, then setting the password to the temporary password value. – Greg Askew Jul 08 '14 at 18:54
  • 1
    @GregAskew I'm not talking about that system flag. I'm talking about the "User must change password at next logon" checkbox in dsa.msc, which, as I just tested to triple-check, manipulates `pwdLastSet` exactly how I've described. – Shane Madden Jul 08 '14 at 18:58
  • Thanks Greg. That makes perfect sense and aligns with what Shane said. Due to the issues created especially with people who VPN into the network I was forced to reset the "minimum password age" back to 0 at which time everything began working normally. Need to determin the root cause before I change minimum password age away from 0. – Larwills Jul 08 '14 at 22:37