locked
Password Expire policy RRS feed

  • Question

  • Dear All,

    OS = Window Server 2008 Standard R2

    Client = Window XP & Window 7

    By default Maximum password age is 42 days.

    how this policy will behave? ( if the Laptop user is not connected to the company for more than 42 days )

    I think after 42 days, whether the user is connected to Company LAN or not, it will prompt for password change and suppose if the user change the password to "abc@123", after that the user will be able to use his laptop.

    Now assume the same user had not brought the laptop to company and that user is logging with any other PC in the Company ( which is in the domain ). it will once again prompt to change the password. now the user had changed to "xyz@123"

    Now after that what will happen, if he brought his laptop in the domain network.Now through which password the user can login in the domain network.

    abc@123 or xyz@123

    Please let me know,


    Thanks & Regards,
    Param
    MCSE, CCNA
    For Live Voice Discussion on any IT related issue, please vist my blog at
    www.paramgupta.blogspot.com

    Tuesday, March 20, 2012 1:11 PM

Answers

  •  
    > u mean that 45 days password never expire, if the user is out of the
    > domain network?
     
    Yes. PW age is stored in the domain, and if offline, the client cannot
    check pwdlastset for expiry. If it were a local account, it WOULD expire.
     
    > hmm...that means some GPO is not applied when u are outside of the
    > domain network.
    >
     
    Sure not - how should they? But if the settings are once applied, they
    usually stay (-:
     
    sincerely, Martin
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    • Marked as answer by Param022012 Thursday, March 22, 2012 6:53 AM
    Wednesday, March 21, 2012 8:06 PM

All replies

  • Hello,

    when not connected to the domain you will logon with cached creentials on the local machine until next time logging on to the domain. Then it will be realized it is over the time and the user is requested to change the password. So no problem if you are not on the office at the specific date.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Tuesday, March 20, 2012 1:23 PM
  • Hi Mr. Meinolf Weber,

    First of all Thank u for ur reply.

    What will be the life of cached credential, if the Laptop user never come to domain network.

    as well as my question was

    After 42 days, if the user is not connected to domain network,still  it will prompt for password change and the user change the password to "abc@123"

    Now assume the same user had not brought the laptop to company and that user is logging with any other PC in the Company ( which is in the domain ). it will once again prompt to change the password. now the user had changed to "xyz@123"

    On on next day, he brought his laptop in the domain network.

    Now my question is - through which password the user can login in the domain network (abc@123 or xyz@123 )

    Please let me know


    Thanks & Regards,
    Param
    MCSE, CCNA
    For Live Voice Discussion on any IT related issue, please vist my blog at
    www.paramgupta.blogspot.com

    Tuesday, March 20, 2012 3:47 PM
  •  
    > What will be the life of cached credential, if the Laptop user never
    > come to domain network.
     
    They live forever. PW expiration is checked in the Domain, not in the
    cached credentials.
     
    > On on next day, he brought his laptop in the domain network.
    >
    > Now my question is - through which password the user can login in the
    > domain network (abc@123 or xyz@123 )
    >
     
    Unless the laptop is connected, the old password will work. Once
    connected and logging on (or unlocking the screen saver), the new
    password will work.
     
    sincerely, Martin
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Tuesday, March 20, 2012 4:44 PM
  • Hi Martin,

    Thank u so much for ur comment.

    u mean that 45 days password never expire, if the user is out of the domain network?

    hmm...that means some GPO is not applied when u are outside of the domain network.


    Thanks & Regards,
    Param
    MCSE, CCNA
    For Live Voice Discussion on any IT related issue, please vist my blog at
    www.paramgupta.blogspot.com


    • Edited by Param022012 Tuesday, March 20, 2012 5:52 PM
    Tuesday, March 20, 2012 5:51 PM
  • Hello,

    "What will be the life of cached credential, if the Laptop user never come to domain network"

    Forever.

    "After 42 days, if the user is not connected to domain network,still  it will prompt for password change and the user change the password to "abc@123""

    No, as said above, cached credentials are used until you logon to the domain next time. There is NO request on the user machine if not connected to the domain to change the password.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Tuesday, March 20, 2012 6:19 PM
  • Hello,

    "What will be the life of cached credential, if the Laptop user never come to domain network"

    Forever.

    "After 42 days, if the user is not connected to domain network,still  it will prompt for password change and the user change the password to "abc@123""

    No, as said above, cached credentials are used until you logon to the domain next time. There is NO request on the user machine if not connected to the domain to change the password.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Hi Meinolf,

    Thanks for ur reply.

    if i enable Remote Access VPN on Laptop, than i think it will ask for password change after 42 days.

    Am i right?


    Thanks & Regards,
    Param
    MCSE, CCNA
    For Live Voice Discussion on any IT related issue, please vist my blog at
    www.paramgupta.blogspot.com

    Wednesday, March 21, 2012 5:03 AM
  • dear Friend ,

    In the NTSD data base the active password is xyz@123 not abc@123 so he has to use is  xyz@123 password .

    when you login from Any client PC to domain LSA in the Client PS looks for SAM in The Domain. SAM is Accounts Manager in the Domain Keepas new password According to the policy . So LAS will get xyz@123 password from SAM and Userwill be logged in

    if Not Log in tho the pc without Network of office with abc@123 and than connect the network and than give gpupdate command to sync the policy.

    hope this will help you ....


    Thanks Ajay Singh MCITP Exchange IBM Tivoli, HP DPS,

    • Proposed as answer by Ajay.Singh Wednesday, March 21, 2012 5:19 AM
    Wednesday, March 21, 2012 5:19 AM
  •  
    > u mean that 45 days password never expire, if the user is out of the
    > domain network?
     
    Yes. PW age is stored in the domain, and if offline, the client cannot
    check pwdlastset for expiry. If it were a local account, it WOULD expire.
     
    > hmm...that means some GPO is not applied when u are outside of the
    > domain network.
    >
     
    Sure not - how should they? But if the settings are once applied, they
    usually stay (-:
     
    sincerely, Martin
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    • Marked as answer by Param022012 Thursday, March 22, 2012 6:53 AM
    Wednesday, March 21, 2012 8:06 PM