locked
Password Expired, But still able to login RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hello All,

    We are facing some issue particularly with Remote Users, who are always on field and travelling outside the Office for months.

    As per our password policy every users password is about to expire in 90 days, but for these users even though their password are expired, there LastLogon and LastLoginStamp keeps on updating to recent dates.

    These remote users use CiscoAnyConnect as VPN connections. We are investigating how this users account are still active while not having successfully reset his password for so long. Below are some example of users whose lastlogin is recent

    Last Logon           Last Logon Timestamp           Last Password Change
    6/6/2016 5:37        6/6/2016 5:36                      3/2/2016 0:03
    6/7/2016 4:38        6/7/2016 4:32                             2/29/2016 22:43
    5/9/2016 2:09        4/27/2016 2:43                           1/18/2016 2:23
    6/16/2016 23:42    6/16/2016 23:41                     12/23/2015 22:57

    Thanks HA

    Friday, June 17, 2016 3:59 PM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote
    Hi,
    Generally, Windows cache the account password on the machine, so if they are not actively connected to the domain, the old password will work. When they connect into the domain, the authentication will not be valid and they'll have some pretty odd problems.
    Have you checked whether these special users could work everything well without any problems?
    For me, in this case, I would run a script on a daily basis and it will create a report of all users and the password expiration statistics, then it will email those users that fall below the threshold that you set. When the user get email, they could change the password before the expiring date. Here is a proposed script regarding this scenario, you could take a look and see if it helps:
    Email Users that their Password is expiring
    https://community.spiceworks.com/scripts/show/125-email-users-that-their-password-is-expiring
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    Regards,
    Wendy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by cguan Thursday, June 23, 2016 6:48 AM
    • Marked as answer by Wendy Jiang Tuesday, June 28, 2016 9:04 AM
    Thursday, June 23, 2016 5:44 AM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Ok, so 90 days have passed but the clients are still logging on are the facts. Thats leads me to think that the passwords are not really expiring.

    Have you tried logging on as one of the accounts to see if you can logon ok? Perhaps you set a policy to expire passwords after 90 days but it is not being applied correctly? Can you change one of the users passwords to see if they can still logon?

    What you have posted is a theory that they should and a confirmation that they are not. Basically, how are you confirming that the passwords really have expired?

    Friday, June 17, 2016 4:51 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi

     Check from ADUC,maybe these users accounts set to "password never expires"...Or there is FGPP already configured for these users..

    FGPP;https://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx

    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Friday, June 17, 2016 5:13 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    When they are in Office connected over the LAN, they get a pop-up that password is expire. But the issue is only for remote users connected via CiscoAnyConnect

    Office users and Remote users are in same OU, the policy is working fine.

    I haven't got a chance to get the password for remote user to test it.

    Thanks HA

    Friday, June 17, 2016 5:29 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    FGPP is not applied in our environment.

    Thanks HA

    Friday, June 17, 2016 5:29 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Hi,
    Generally, Windows cache the account password on the machine, so if they are not actively connected to the domain, the old password will work. When they connect into the domain, the authentication will not be valid and they'll have some pretty odd problems.
    Have you checked whether these special users could work everything well without any problems?
    For me, in this case, I would run a script on a daily basis and it will create a report of all users and the password expiration statistics, then it will email those users that fall below the threshold that you set. When the user get email, they could change the password before the expiring date. Here is a proposed script regarding this scenario, you could take a look and see if it helps:
    Email Users that their Password is expiring
    https://community.spiceworks.com/scripts/show/125-email-users-that-their-password-is-expiring
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    Regards,
    Wendy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by cguan Thursday, June 23, 2016 6:48 AM
    • Marked as answer by Wendy Jiang Tuesday, June 28, 2016 9:04 AM
    Thursday, June 23, 2016 5:44 AM