Password Change not Enforcing at Logon


  • We've had a case where a user that was away for a month was able to log in, and then got a message saying that their password needed to be changed and all his network drives were disconnected.

    He should not have been able to log on without changing his password according to our Password group policy, what may have caused this?

    Friday, July 22, 2016 2:19 PM


  • The default behavior is for AD domain clients to logon to their AD domain-joined machines using cached credentials in case a DC is not available during logon.  This would explain the behavior you noticed - client could login into the Desktop but network drives disconnected.  Password Group Policy doesn't control whether or not client can login to domain - that's stored under a different part of the default domain policy ((Computer Configuration / Policies / Windows Settings / Security Settings / Local Policies / Security Options / Interactive Logon: Number of previous logons to cache (in case domain controller is not available)).  If the account was flagged to change password at next logon, then a Group Policy refresh at the client computer would have sent across that account flag, and the message would have appeared on the client computer at the next logon regardless of DC was available or not, since DC wasn't available - the cached credential password was honored.  

    Best Regards, Todd Heron | Active Directory Consultant

    Friday, July 22, 2016 4:52 PM