Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Domain requires two password changes upon expiration?

Status
Not open for further replies.
skhoury

skhoury

IS-IT--Management
Nov 28, 2003
386
US
Hello all,

This is a problem that has been plaguing us for several months now....I have tried everything I could possibly think of under the sun and I cant crack it:

Problem -
User passwords are set to expire every 60 days. Our Win2K domain server starts warning the users on login 7 days prior to expiration. If the user ignores the message, it just keeps reminding them on logins (which is fine).

Now here is the wierd part-> Lets say its day one, and the user decides to change there password right away. The system accepts it, and moves on. It no longer complains about expiring passwords...until the 8th day where out of the blue it says the password has expired and *must* be changed right away (even though they already changed it)!!

Does this make any sense to anyone? Could it have something to do with our GPOs? Maybe replication amoungst our other domain controllers?

Its driving us nuts, any help will be more than appreciated!

Many thanks,

Sam
 
Sort by date Sort by votes
sounds like the client computers are not correctly talking to the domain controller.

so the passwords are being changed locally on the client end and cached.

To test this theory, when somebody just changed their password, have them go onto a computer they never ever logged in before. Have them attempt to logon and see if it works with their old password or new?
 
Upvote 0 Downvote
That's a good idea.

Do you know of a way that I can easly lookup the accounts that are about to expire in AD? Or will I have to put a request out to have people see me when they are prompted to change there passwords?

Also, if the client PC wasnt talking to the domain controller correctly, what else could possibly go wrong?
 
Upvote 0 Downvote
There is small program 'Network Account Password Age'. It shows password age in days for all users in domain. More about it and download location here

And you can use Windows built-in tool:

net user username /domain

This will show user's password expiration date, last logon etc. Not the best if you want to collect info about all users but you can see if password was actually changed in AD for user in question.


===
Karlis
ECDL; MCP
 
Upvote 0 Downvote
Check and see if your PDC emulator DC is up and running,
>dcdiag

Aftertaf

getting quite good at sorting out Windows problems...
An expert when it comes to crashing Linux distributions (mdk, debian - nothing withstands me)
 
Upvote 0 Downvote
I agree with Aftertaf - looks like a PDCe issue, if the PDCe isn't available then password behaviour can go screwy as it's the password master in effect. Also if you're clients are down-level (older than Windoows 2000) they need to talk directly to the PDCe to even change the password.
 
Upvote 0 Downvote
hmmm really interesting guys..ok Im going to go check all of the above and post back results. Thanks for the fantastic feedback!
 
Upvote 0 Downvote
Ok, I ran the dcdiag command and several tests started to run. All of them passsed except one! Does anyone know what this error means:

Starting test: frssysvol
Error: No record of File Replication System, SYSVOL started.
The Active Directory may be prevented from starting.
......................... OURADC passed test frssysvol


All the rest of them are cool. Also, all of our downlevel clients are win2k workstations.

Anything?

Thanks!
 
Upvote 0 Downvote
Just a thought are your maximum password age and minimum password age the same ?

(security settings > password policy)
 
Upvote 0 Downvote
reboot yourserver, then check it's logs....
see what can be stumping it on reboot.

am right when i say you only have one server??

Aftertaf

"Resolve is never stronger than the night before it was never weaker
 
Upvote 0 Downvote
Moore, thats a good thought however I checked that already and they are not:

Min is 2 days, max is 42 days. :(

On the other hand, with regards to one of my previous posts about the frssysvol - I just restarted the service and it loaded up just fine. So after doing that and running dcdiag everything came back as passing.

aftertaf - we have 5 servers, 3 of which are domain controllers. Do you think that makes a difference...a replication issue possibly?
 
Upvote 0 Downvote
are all 3 in the same site?


try transfering the PDC emulator FSMO role to another DC...

Aftertaf

"Resolve is never stronger than the night before it was never weaker
 
Upvote 0 Downvote
Yup, all 3 are in the same site.

How do I transfer the PDCe role?...I have no idea...
 
Upvote 0 Downvote
Ahhhh Its back! Looks like its time to get MS on the phone....sigh.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

goombawaho
  • Locked
  • Question
Domain join from wifi connected laptop
Replies
4
Views
1K
goombawaho
goombawaho
MattM1975
  • Locked
  • Question
Domain Admin Logon 1
Replies
2
Views
393
ADB100
ADB100
Mohamed-IT
  • Locked
  • Question
Windows server 2019 password locked
Replies
1
Views
311
strongm
strongm
fredmartinmaine
  • Locked
  • Question
Domain Controller without DNS Server
Replies
4
Views
893
fredmartinmaine
fredmartinmaine
penguinroundup
  • Locked
  • Question
programmatically delete all saved passwords for IE for any user
Replies
0
Views
339
penguinroundup
penguinroundup

Part and Inventory Search

Sponsor

Back
Top