msice
asked on
Stuck in loop change password every three days
I am experiencing a strange issue with some users getting stuck in a loop with needing to change their password every three days - everytime they logon and even after they change it!. This is a random problem that seems to happen to one or two users every few months. Here is the password policy. The problem seems to go away (on its own) for some users but not others. Anyone see an issue below or have any idea what might cause this.
Policy Computer Setting
Enforce password history 4 passwords remembered
Maximum password age 90 days
Minimum password age 1 days
Minimum password length 5 characters
Passwords must meet complexity requirements Disabled
Store password using reversible encryption for all users in the domain Disabled
Policy Computer Setting
Enforce password history 4 passwords remembered
Maximum password age 90 days
Minimum password age 1 days
Minimum password length 5 characters
Passwords must meet complexity requirements Disabled
Store password using reversible encryption for all users in the domain Disabled
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok so try secedit /refreshpolicy user_policy /enforce
What do you think is causing this.
What do you think is causing this.
Check the workstations are actually participating in the domain correctly.
Presume you have checked the Event Viewer/Audit Logs ?
Presume you have checked the Event Viewer/Audit Logs ?
It could be that the policy just needed to be forced down.
ASKER
BigP
Yes Events seem to be fine now, but there are a few errors from a while back that are interesting.
3/1/2004> Windows cannot unload your registry file. If you have a roaming profile, your settings are not replicated. Contact your administrator.
DETAIL - Access is denied. , Build number ((2195)).
-------------------------- ---------- ---------- ---------- ---------
This one probably due to a server reboot.
2 Months ago> No Windows NT or Windows 2000 Domain Controller is available for domain DURECT.COM. The following error occurred:
There are currently no logon servers available to service the logon request.
diggisaur -
Interesting as the only commonality at all I can find between the affected users is that it might be the first 90 day initiated forced password change that the loop happens on - sense the computer was setup and added to the domain (but some work fine without the issue). Why would we need to force the policy just for the password policy to work correctly when all other policies are working fine for the recently configured computers? Is there a recommended way to make SURE the policy is updated/refreshed every time a user logs on (I thought it did by default).
Yes Events seem to be fine now, but there are a few errors from a while back that are interesting.
3/1/2004> Windows cannot unload your registry file. If you have a roaming profile, your settings are not replicated. Contact your administrator.
DETAIL - Access is denied. , Build number ((2195)).
--------------------------
This one probably due to a server reboot.
2 Months ago> No Windows NT or Windows 2000 Domain Controller is available for domain DURECT.COM. The following error occurred:
There are currently no logon servers available to service the logon request.
diggisaur -
Interesting as the only commonality at all I can find between the affected users is that it might be the first 90 day initiated forced password change that the loop happens on - sense the computer was setup and added to the domain (but some work fine without the issue). Why would we need to force the policy just for the password policy to work correctly when all other policies are working fine for the recently configured computers? Is there a recommended way to make SURE the policy is updated/refreshed every time a user logs on (I thought it did by default).
ASKER
That fixed the issue but, still don’t know why this is happening any thoughts?
secedit /enforce will be better.