Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1294
  • Last Modified:

XP Domain password change notification not appearing

Here's the situation. We have an NT4-based domain with a wide mix of machines on it--mostly Windows 2000, with a few Win98. We've recently bought a batch of machines with Windows XP Professional installed. These machines seem to have great difficulty in acknowledging that a user's domain password has changed or expired--they'll quite happily let the user log on, but the user is obviously unable to access domain resources because their password is no longer valid.

Does anyone know why Windows XP does this? Is it locally caching the logon information, or something?
0
pjknibbs
Asked:
pjknibbs
  • 8
  • 4
  • 2
  • +2
1 Solution
 
slink9Commented:
Here is an article on synchronizing passwords, but it doesn't list XP - http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q230598
Are you getting any error messages which may help on solving this?
0
 
pjknibbsAuthor Commented:
Getting no errors, and I can't see how password synchronisation would fix it because the machine shouldn't BE using a local password--it should always be going off to the domain controller for password verification. Windows 2000 works this way, so why not XP Professional?
0
 
slink9Commented:
... and that would be why 2k and XP are not listed in the article.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
mikecrCommented:
What happens if you go in and change the password manually in XP? Does it allow them to log in then? These are domain accounts that they are logging in with, correct?
0
 
pjknibbsAuthor Commented:
Yes, they are domain accounts. What seems to happen is this: if they log on with an expired password, XP will let them log on but they can't access network resources. Restarting makes no difference whatsoever. However, if somebody ELSE (who still has a valid domain logon) logs on to the machine, then the original person tries to log on, they'll get the "your password has expired and must be changed" message as you'd expect.

On a possibly related issue, password expiry messages don't appear on XP either--I logged on to this XP machine this morning and got no warning, whereas I definitely got a 13-day expiry notice in a 2K machine I logged on to yesterday. (I have NOT changed my password between these two logins!).
0
 
mikecrCommented:
Do you have anything in your domain policy to allow users to be able to log in more than once before the password change expires? If you manage the computer, do you have any accounts set with password never expires?
0
 
pjknibbsAuthor Commented:
mikecr: If it was the domain policy, why would it not affect Windows 2000 and 98 machines? There ARE accounts set with password never expires, but these aren't the ones which are suffering the problems--I think I would have noticed something as obvious as that.

As for the "log on more than once before password change expires", I'm afraid I don't understand what you mean.
0
 
pjknibbsAuthor Commented:
I'm looking for answers, so increasing points to 300.
0
 
mikecrCommented:
Never mind, I was thinking of cached logons. As a test, manually set someone's account to be promted to change password at next logon and see if it does prompt them. I would like to see if it's truly a policy issue or an XP issue.
0
 
pjknibbsAuthor Commented:
Setting "User must change password on next logon" and rebooting makes no difference whatsoever--XP still allows the user to logon, but they are unable to access network resources. They can hit CTRL+ALT+DEL and change password from there, which allows access again--but there's still nothing indicating their password has expired.
0
 
mikecrCommented:
I thought you might find this interesting. It probably has something to do with your problem.

http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q308178
0
 
pjknibbsAuthor Commented:
It probably doesn't, for at least three separate reasons:

1) It refers to Windows 95, 98, and ME only, not XP.
2) It requires a Windows 2000 or .NET domain controller--it specifically states the problem does not occur using an NT domain controller, which is what we have.
3) As far as I can tell the article implies that a reboot will fix the problem, and as I've already said rebooting the machine makes sod all difference in this case.
0
 
GUEENCommented:
It appears that w/ XP the person will get a 1-time 'password will expire notification' 14 days prior to the actual expiration date.
I believe that Microsoft is aware of this and blaming it on NT -


Newsgroups: microsoft.public.windowsxp.security_admin
Date: 2002-02-26 09:36:10 PST
 
This is the email we received from MS:

Thank you for requesting support for Microsoft Windows XP. My name is Roger Peters and I will be working with you to resolve this issue.

In your case you have indicated that you are having an issue with network passwords under Windows XP on your NT Domain Servers.

I have heard of this problem before but to date there has been no resolution that I can find documented. It appears as not to affect all Windows XP PC's.

It may well be that this is a server side issue.

Other than a clean build of Windows XP I can only suggest contacting the NT Server team by calling 0870 6010100.

Other than that it is being looked into but I cannot tell you how long it will be before there is a resolution.

Hopefully this information will clarify the situation.

We appreciate that sometimes the advice we give, by necessity may be quite complex, so if you feel that you need any assistance in working through the
troubleshooting steps given, do not hesitate to call our Telephone Support
Centre on 0870 60 10 100 (Customers phoning from Ireland should dial 706 353 for technical support.), where a technician will be pleased to help you.

In the event we do not hear from you within 5 business days, this case will be archived as resolved. However, you may reopen this case at any time by creating a supplement and we will respond as soon as possible.

If you submitted your incident via Windows XP Online Assisted Support it would be appreciated if you can advise us if the suggestions above solved
your problem.

We trust this will leave you very satisfied with our service and if not,
please let us know.






0
 
pjknibbsAuthor Commented:
If I don't hear anything within the next few days I'll accept Shekerra's answer, since it at least suggests the problem is known by Microsoft and may be fixed at some future date.
0
 
pjknibbsAuthor Commented:
No more comments appearing, so Shekerra gets it...
0
 
LeighdCommented:
We have the same set up (NT4.0 domain with a mix of XP, 2000 and Win98 PCs) and the XP machines have exactly the same problem as defined by "pjknibbs."

I've discovered that the XP machines are losing their internal trust relationship with the domain controller. To prove this, the next time this happens, go to Server Manager on the NT domain controller and double-click the machine name at fault. A dialog box pops up stating the "Trust relationship is no longer valid" or words to that effect.

The solution I found so far is to:

1. On the domain controller, remove the offending machine name from the domain using Server Manager

2. Login in locally as Administrator on the offending machine and remove it from the domain and revert it to be in a workgroup.  You'll have to reboot for this to happen.

3. After the reboot, login in again as Administrator and rejoin the domain.

Once the PC has rebooted you will htne be prompted to change the password as normal.




3.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 8
  • 4
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now