We ran into the same problem. The only way I found to get around this
is to set the 'password never expires' setting for all users using
ADModify. This allows you to stagger who gets the policy when. This
also allows you to exclude remote users. You can then control their
password changes at your convenience. ADModify is a must. It works
great. Just keep in mind that if you set the 'password never expires'
(which will override the domain wide policy) you cannot also set 'user
must change at next logon'. The two are mutually exclusive. Hope this
helps.
-----Original Message-----
From: John Coke [mailto:JCoke@afsimage.com]
Sent: Monday, February 07, 2005 7:01 PM
To: Mike; William Stegman; focus-ms@securityfocus.com
Subject: RE: active directory password policy
Domain-wide password, account lockout and kerberos policies can only be
set at the domain level. Password policies linked at the OU level are
applied to the users configured on the local machine and are ignored
when the users logs in with a domain account.
-John
-----Original Message-----
From: Mike [mailto:mike_sha@shaw.ca]
Sent: Monday, February 07, 2005 12:29 PM
To: William Stegman; focus-ms@securityfocus.com
Subject: RE: active directory password policy
Could you put them in a different OU with it's own GP that has looser
policies on password security?
Mike Fetherston
-----Original Message-----
From: William Stegman [mailto:stegmanw@comcast.net]
Sent: Friday, February 04, 2005 5:10 PM
To: focus-ms@securityfocus.com
Subject: active directory password policy
Does anyone have any experience with remote users who do not login to
the domain on a regular basis or at all, and have a password
expiration
policy in effect? We can't seem to come up with a good plan to handle
these users. They only occassionally access domain resources such as
webmail via the Internet or an internal website to do timesheets via
vpn, and will not have the luxury of logging on to a machine connected
to our LAN and getting the warning about soon to expire passwords. If
our policy dictates passwords expire every 90 days, how can we avoid
the
inevitable calls regarding password resets?
thx
/William Stegman - Network Administrator///
TransCore - Hummelstownd
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
Email contains Privileged & Confidential Information intended only for the
recipient named. Dissemination or copying of email is strictly prohibited. If
you have received this in error, notify St. Clair Hospital & return or destroy
original. Information in this email is confidential & protected by state &
federal law. Further disclosure is strictly prohibited.
---------------------------------------------------------------------------
---------------------------------------------------------------------------
