We have windos 2008 R2 domain and windows 7 clients.
I've tested the Fine grained password the past weeks, and today i enabled it for everyone. During next logon users will get a password notification balloon to change their password within 14 days. Works great. No problem.
One issue we have is that the momemt i activate the PSO, users can not connect to our intranet and some webportals.. Users did not get the password expiry notification balloon yet, because the where already logged on. Still they could not use the webportal, what was no problem minutes before i activate the PSO. If the users changed their password, they then can connect to the webportal.
But like i said, if you already logged on you will get the notification the next time you logon, but meanwhile we can not connect to our intranet..
What could be the problem??? Is it the authentication method with IIS 7???
Here is a step by step guide:
AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide
It seems that the password is expired one you applied the PSO.
You may able to workaround this by either force a logoff, or show a balloon to users with a script. For example please see:
TechNet Subscriber Support in forum |If you have any feedback on our support, please contact firstname.lastname@example.org.
I don't think that is the solution i'm looking for.. I think you misunderstood my question..
In fact the AD DS Fine-Grained Password works great. Users do get a balloon to change their password. So no problem with that..
But currently if your windows password expires, or the user flag "must change password at next logon" has been set, then authentication simply fails with our webportals. i.e., IIS doesn't have a built-in mechanism for handling changing passwords.
This forum describe the problem i have..
Keep in mind that we use IIS 7 and 7.5..
As far as i know IISADMPWD is not supported on IIS 7 and higher.. So how to deal with this issue..