Fine Grained Password Policy and Password expiry notification issues with intranet and Webportals

Ask a question

Thursday, February 07, 2013 10:43 AM

0
We have windos 2008 R2 domain and windows 7 clients.

I've tested the Fine grained password the past weeks, and today i enabled it for everyone. During next logon users will get a password notification balloon to change their password within 14 days. Works great. No problem.

One issue we have is that the momemt i activate the PSO, users can not connect to our intranet and some webportals.. Users did not get the password expiry notification balloon yet, because the where already logged on. Still they could not use the webportal, what was no problem minutes before i activate the PSO. If the users changed their password, they then can connect to the webportal.

But like i said, if you already logged on you will get the notification the next time you logon, but meanwhile we can not connect to our intranet..

What could be the problem??? Is it the authentication method with IIS 7???

Thanx
- Moved by Cheers ZHANGMicrosoft Contingent Staff, Moderator Friday, February 08, 2013 12:58 AM
- Edited by Biga_b Friday, February 08, 2013 7:34 AM
- Reply
- Quote

All Replies

Friday, February 08, 2013 8:18 AM

Moderator

0

Hi,

Here is a step by step guide:

AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide

http://technet.microsoft.com/en-us/library/cc770842(v=ws.10).aspx

It seems that the password is expired one you applied the PSO.

You may able to workaround this by either force a logoff, or show a balloon to users with a script. For example please see:

http://blogs.technet.com/b/keithmayer/archive/2012/06/29/powershell-script-to-force-user-logoff-after-hours-posh-ws2012-ws2008-windowsserver-wintel-intelit.aspx
TechNet Subscriber Support in forum |If you have any feedback on our support, please contact tnmff@microsoft.com.
- Reply
- Quote
Friday, February 08, 2013 9:51 AM

0

I don't think that is the solution i'm looking for.. I think you misunderstood my question..

In fact the AD DS Fine-Grained Password works great. Users do get a balloon to change their password. So no problem with that..

But currently if your windows password expires, or the user flag "must change password at next logon" has been set, then authentication simply fails with our webportals. i.e., IIS doesn't have a built-in mechanism for handling changing passwords.

This forum describe the problem i have..

http://forums.iis.net/t/1146818.aspx/1/10

http://blogs.msdn.com/b/asiatech/archive/2009/03/17/how-to-manage-my-windows-user-password-through-iis-web-portal.aspx

Keep in mind that we use IIS 7 and 7.5..

As far as i know IISADMPWD is not supported on IIS 7 and higher.. So how to deal with this issue..

Thanx
- Reply
- Quote

Fine Grained Password Policy and Password expiry notification issues with intranet and Webportals

All Replies

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support by product

Other support links

Not an IT pro?