Allow Client To Change Password After It Has Expired Option RRS feed

  • Question

  • People who use devices not joined to our domain do not get the 14 day password expiration warnings specified in group policy that users of domain-joined PCs get, so their first indication that their password has expired is that their wireless access stops working.  Then, to change their password, they need to connect to a wired connection and change their expired password through OWA.  If they have a wireless-only tablet, they must get help desk assistance or go to a PC to change the expired password.

    What are the requirements and options available to allow users of non-domain devices to change their domain passwords on wireless after their password has already expired?

    Does the option "Allow Client To Change Password After It Has Expired" only work if the user is logged into a PC that is joined to our domain or can they change their expired password from a non-domain laptop on wireless or even a device that doesn't run Windows at all such as an iPad etc.?

    • Edited by MyGposts Friday, March 7, 2014 6:37 AM
    Friday, March 7, 2014 6:30 AM

All replies

  • Hi,

    Which kind of authentication protocol are you using and which kind of account you are using for non-domain users’ authentication? Based on my research, with MS-CHAP, password change scenarios are supported only when NPS is able to communicate directly with a writable DC in your network for the password change transactions.

    Best regards,


    Tuesday, March 11, 2014 3:00 AM
  • The question refers to MS-CHAP with all users using their domain user account for authentication even if the device they are using is not joined our domain.  

    We do not have NPS at the moment, but we would like to determine the requirements to allow users to change their already-expired PEAP MS-CHAP passwords on wireless vs switching our wireless network to EAP-TLS so they no longer need to deal with the password change issue at all.

    Which is easier to implement?

    I would think that EAP-TLS might be better in the long term so that they don't have to change wireless credentials at all.

    Also, we would like to be able to have control over which non-domain devices are able to connect to our secured wireless.    With EAP-TLS, the device would require a certificate, but once the user has a certificate on one approved device, they could secretly copy it to multiple devices which would limit the value of the certificate if there is no way to make the certificate valid only on the first device that uses it.

    • Edited by MyGposts Tuesday, March 11, 2014 4:19 AM
    Tuesday, March 11, 2014 4:11 AM
  • Hi,

    Thanks for you reply.

    I refer to use EAP-TLS. You can refer to the the link below for more detailed information about Certificate for EAP-TLS:

    Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS

    In addition, sorry to say that I have no idea about preventing the certificate from copying, maybe you can ask in the forum below for professional assistance:


    Best regards,


    • Proposed as answer by Susie Long Wednesday, April 2, 2014 2:07 AM
    Tuesday, March 25, 2014 2:48 AM