Active Directory Password Change Issue

1

1

We have a password issue here. The security policy requieres to change user's password in every 90 days (so the 'Password never experies' solution is not working now). They got a automatic warning email 2 weaks before the their pass experies. They can skip this notification and change before the dead line, but if they dont than the system lock them out and we have to change their pass in console. Of course it's not a big deal in case of a few users, but we have 200 by now. What shoud I do to make their account let them in after the 90 days and allow them to change their password on their local machine. Thanks.

S.Bereczki

Posted 2016-07-20T09:36:06.113

Reputation: 11

1How do they connect? Are they logging in locally, or do they use something like a terminal server connection? The latter one is normal to cause a disconnect and not able to reconnect again. Users will need to use something like VPN or webmail login in order to trigger a password change prompt. – LPChip – 2016-07-20T10:50:16.803

1Something doesn't sound right, unless you have some other policy also enabled, the accounts shouldn't be getting locked after only 90 days with the same password. That is default behavior, that isn't even a standard security policy, being forced to change the password after 90 days is normal – Ramhound – 2016-07-20T11:16:26.250

Answers

1

I don't recall an account being locked when the user forgot to change the password before the deadline (I know this happens a lot in hardened Linux servers though).

In case it really did happen, assuming you have domain administrator access, you can:

  1. Login your domain controller as domain admin
  2. Open up "Active Directory Users and Computers"
  3. Go to "Users"
  4. Find the user account, right click and open "Properties"
  5. Browse to the "Accounts" tab and tick "Unlock account"

This should unlock the account and when the user tries to login again (via console or Remote Desktop), Windows should prompt a password change.

Lok.K.

Posted 2016-07-20T09:36:06.113

Reputation: 51

Thanks for the quick and usefull answer. It can be temporary a solution, but I asked in a wrong way. How can I automaticaly make their account unlocked when they forgot change the pass. Maybe it's a missing update or some easy thing, but cant find out yet. – S.Bereczki – 2016-07-20T10:12:46.563

@S.Bereczki From this kb. It seems the expired accounts will never be locked out. I have tried looking over the Internet but haven't found a similar problem description so far.

– Lok.K. – 2016-07-20T10:50:21.853

1

This is definitely not the default behavior as pointed here. In your case the domain admin is using third party script or tool which is achieving that behavior. You should investigate this further, by examining your gpo and the installed programs on your dc server.

buzz boy

Posted 2016-07-20T09:36:06.113

Reputation: 171

Asked: 2016-07-20T09:36:06.113

Viewed: 164 times

Active: 2016-07-20T10:33:31.507