none
User cannot logon with "Must change password at next logon" checked in AD Account screen RRS feed

  • Question

  • Hi Folks,

    I'm a newbie to AD, having to figure out how it works and need some help. We have a domain controller setup on a Windows 2012 server for our Project Server 2013 environment. This was setup previous and I now need to support it, but don't know much about AD. I added a new user in Active Directory Users and Groups and set all basic information needed, and checked "Must change password at next logon" on the "Account" tab, apply, and hit ok.

    When the new user tries to logon, the Windows Security dialog appears, domain\username is entered, and password is entered. When the user hits enter, the security box just keeps coming back, no logon occurs. I triple checked and the user is entering the correct domain\username and password.

    Going back to AD, I uncheck "Must change password at next logon," apply, and the user can logon no problem with the password provided. I went back and checked it again and the user cannot log on.

    I would like to use this must change password feature as otherwise I'm going to have to assign and maintain passwords for everyone (time consuming and not very secure). I'm thinking some setting is not correct, but have no idea where to look. Is there some setting or property somewhere that needs to be set to make the change password at next logon functionality work? If so, can someone be kind enough to point me to where I make the setting?

    Any help would be much appreciated as this is a totally new world for me.

    Thanks,


    Rick Frisby

    Thursday, January 14, 2016 3:38 PM

Answers

  • Hi 

    Please check the whether Network level authentication is enabled on the server where user is trying to access. If it is enabled user will not be able to login when user must change password at next logon is checked.

    Also check what is RDP version which user is using to do the RDP, If it is not NLA compatible this will trigger the issue as you mentioned above.

    Regards



    • Edited by Afsar Shariff Thursday, January 14, 2016 8:08 PM
    • Marked as answer by Rick VF Monday, February 1, 2016 6:32 PM
    Thursday, January 14, 2016 8:07 PM

All replies

  • Hi

      Sounds like your password policy has entries defined for password age. (I think 2012 dictates that users must wait 1 day to change their password by default.) You should take a look at your Group Policy password settings.

    http://technet.microsoft.com/en-us/library/hh994572(v=ws.10).aspx


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Thursday, January 14, 2016 4:05 PM
  • What are the users trying to logon to? (Project 2013).  May check if the application they are logging into can recognize that a user must change his/her password.  Do they logon into a domain workstation first?

    One thing you can do to check is check the box to 'change at next logon' and perform an interactive logon to a Windows OS, I would assume it will pop a box to change password.  If interactive works and not the other 'logon' then you will need a way around this as the application cannot handle change password events (Expirations or change at next logon). 


    Thursday, January 14, 2016 7:19 PM
  • I would add that when an administrator sets a password, the minimum password age setting does not apply. The user should always be able to change the password after using the administrator supplied password.

    Richard Mueller - MVP Enterprise Mobility (Directory Services)

    Thursday, January 14, 2016 7:57 PM
  • Hi 

    Please check the whether Network level authentication is enabled on the server where user is trying to access. If it is enabled user will not be able to login when user must change password at next logon is checked.

    Also check what is RDP version which user is using to do the RDP, If it is not NLA compatible this will trigger the issue as you mentioned above.

    Regards



    • Edited by Afsar Shariff Thursday, January 14, 2016 8:08 PM
    • Marked as answer by Rick VF Monday, February 1, 2016 6:32 PM
    Thursday, January 14, 2016 8:07 PM
  • It took a bit to figure out how to get to this, but I think I found the setting you are looking for using the Group Policy Management Console (again, this is all totally new to me) under Group Policy Management > Forest: domainname.local > Group Policy Objects > Default Domain Policy . Are you referring to Minimum Password Age? If so, what should that be set to, 0 or a negative number?


    Rick Frisby

    Thursday, January 14, 2016 8:23 PM
  • Users are trying to logon to Project Server 2013. They can do that just fine as long as Must change password at next logon is not checked. They logon by going to a URL (https) or VPN. Not sure what you mean by "perform an interactive logon to a Windows OS" as I brand new to this. I would think Project Server would handle password changes as SharePoint is it's foundation, but you never know. How do I do the interactive logon you suggest?

    Rick Frisby

    Thursday, January 14, 2016 8:28 PM
  • Hmmmm.... Then no use to change the password age?

    Rick Frisby

    Thursday, January 14, 2016 8:29 PM
  • Also make sure that you have project 2013 AD synchronization properly configured.

    https://technet.microsoft.com/en-us/library/gg982985.aspx

    Is user logging on to a workstation that is on the domain?

    Is user putting in the right temporary password?

    What does the domain controller security logs tell you about the user account? The authentication attempts are recorded there.

    Thursday, January 14, 2016 8:35 PM
  • Let me look into this on the app server and see if I can determine what is set.

    Rick Frisby

    Thursday, January 14, 2016 8:37 PM
  • Not seeing Remote Desktop Services under Administrative Tools on the App Server. Don't know if I have access to that. Is there somewhere else I can check?

    Rick Frisby

    Thursday, January 14, 2016 8:49 PM
  • The user is putting in the correct domain\username and password. Verified this by unchecking "Must change password..." and user can log right on no problem.

    2013 AD sync is configured. I ran it and the user info is over in Project Server 2013. Again, the user can logn to Project Server 2013 as long as "Must change password..." is not checked, so don't think the issues is with the password or Project Server.

    I'll need to figure out how to get to the AD logs and check them. 


    Rick Frisby

    Thursday, January 14, 2016 8:55 PM
  • An interactive logon (in general) is logging into a workstation with a Windows OS.  So, if or does the user logon to a Domain joined Windows workstation with the same credentials as Project 2013.  If they do, I would suspect you will see a screen related to 'you must change your password' and is working as expected.  That would be a way for the user to change the password.

    If they ONLY log into Project 2013 (I have no experience with Project 2013), then the logon API may not have the capability to inform you that the password needs to be changed, therefore it just keeps popping up logon box (Acting similar to an expired password).

    Also, if this scenario is true, this may happen when the password Expires as well.

    Workarounds, In Project 2013, is there a link to 'Change your password'.  You could just have the users change it once they get in (may be a security policy against this). 

    Friday, January 15, 2016 1:38 PM
  • Hi Rick,

    I agree with Vaadadmin, I suggest you configure a security policy to against this behavior.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, January 19, 2016 8:46 AM
    Moderator
  • Hi folks,

    Sorry for the delay in responding to this as I was in training for a week and then snowed in. Digging deeper with the network folks I found out that they do have network level authentication enabled and have no plans to change that as they say it is more secure. Not being the expert in that area, I can't argue the point with them, so looks like users will not be able change password on next logon.

    To answer some of the other questions, yes this setup is on it's own domain and most users are logging into the domain from another domain. We are creating them accounts in this domain so they can login. The only tool here is the Project Server tool.

    Not sure what other options there are given the restriction. I guess this will have to be manually administered (ugh) until I can find a solution that would work with this type setup. Any suggestions would be appreciated if others have run into this restriction.

    Thanks again for pointing me to all the right places to look.


    Rick Frisby

    Monday, February 1, 2016 6:31 PM
  • Project Server uses active directory to authenticate, but there is no password change dialog presented anywhere in Project Server. A password change would normally be done via windows security dialog at logon before accessing Project Server.

    Rick Frisby

    Monday, February 1, 2016 6:38 PM
  • This is true however you can leave the "users must change password on next login" box unchecked and when the user logs in with their RDP session they can change their password by pressing Ctrl+Alt+End and selecting the 'change password' option.

    I just wanted to add this because I was looking for a solution to the same problem and I didn't want to turn off the network level authentication.


    J.Unger

    Tuesday, September 17, 2019 7:48 PM