Solved

XP Domain password change notification not appearing

Posted on 2002-03-19
16
1,282 Views
Last Modified: 2008-02-01
Here's the situation. We have an NT4-based domain with a wide mix of machines on it--mostly Windows 2000, with a few Win98. We've recently bought a batch of machines with Windows XP Professional installed. These machines seem to have great difficulty in acknowledging that a user's domain password has changed or expired--they'll quite happily let the user log on, but the user is obviously unable to access domain resources because their password is no longer valid.

Does anyone know why Windows XP does this? Is it locally caching the logon information, or something?
0
Comment
Question by:pjknibbs
  • 8
  • 4
  • 2
  • +2
16 Comments
 
LVL 23

Expert Comment

by:slink9
Comment Utility
Here is an article on synchronizing passwords, but it doesn't list XP - http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q230598
Are you getting any error messages which may help on solving this?
0
 
LVL 12

Author Comment

by:pjknibbs
Comment Utility
Getting no errors, and I can't see how password synchronisation would fix it because the machine shouldn't BE using a local password--it should always be going off to the domain controller for password verification. Windows 2000 works this way, so why not XP Professional?
0
 
LVL 23

Expert Comment

by:slink9
Comment Utility
... and that would be why 2k and XP are not listed in the article.
0
 
LVL 17

Expert Comment

by:mikecr
Comment Utility
What happens if you go in and change the password manually in XP? Does it allow them to log in then? These are domain accounts that they are logging in with, correct?
0
 
LVL 12

Author Comment

by:pjknibbs
Comment Utility
Yes, they are domain accounts. What seems to happen is this: if they log on with an expired password, XP will let them log on but they can't access network resources. Restarting makes no difference whatsoever. However, if somebody ELSE (who still has a valid domain logon) logs on to the machine, then the original person tries to log on, they'll get the "your password has expired and must be changed" message as you'd expect.

On a possibly related issue, password expiry messages don't appear on XP either--I logged on to this XP machine this morning and got no warning, whereas I definitely got a 13-day expiry notice in a 2K machine I logged on to yesterday. (I have NOT changed my password between these two logins!).
0
 
LVL 17

Expert Comment

by:mikecr
Comment Utility
Do you have anything in your domain policy to allow users to be able to log in more than once before the password change expires? If you manage the computer, do you have any accounts set with password never expires?
0
 
LVL 12

Author Comment

by:pjknibbs
Comment Utility
mikecr: If it was the domain policy, why would it not affect Windows 2000 and 98 machines? There ARE accounts set with password never expires, but these aren't the ones which are suffering the problems--I think I would have noticed something as obvious as that.

As for the "log on more than once before password change expires", I'm afraid I don't understand what you mean.
0
 
LVL 12

Author Comment

by:pjknibbs
Comment Utility
I'm looking for answers, so increasing points to 300.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 17

Expert Comment

by:mikecr
Comment Utility
Never mind, I was thinking of cached logons. As a test, manually set someone's account to be promted to change password at next logon and see if it does prompt them. I would like to see if it's truly a policy issue or an XP issue.
0
 
LVL 12

Author Comment

by:pjknibbs
Comment Utility
Setting "User must change password on next logon" and rebooting makes no difference whatsoever--XP still allows the user to logon, but they are unable to access network resources. They can hit CTRL+ALT+DEL and change password from there, which allows access again--but there's still nothing indicating their password has expired.
0
 
LVL 17

Expert Comment

by:mikecr
Comment Utility
I thought you might find this interesting. It probably has something to do with your problem.

http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q308178
0
 
LVL 12

Author Comment

by:pjknibbs
Comment Utility
It probably doesn't, for at least three separate reasons:

1) It refers to Windows 95, 98, and ME only, not XP.
2) It requires a Windows 2000 or .NET domain controller--it specifically states the problem does not occur using an NT domain controller, which is what we have.
3) As far as I can tell the article implies that a reboot will fix the problem, and as I've already said rebooting the machine makes sod all difference in this case.
0
 
LVL 16

Accepted Solution

by:
GUEEN earned 300 total points
Comment Utility
It appears that w/ XP the person will get a 1-time 'password will expire notification' 14 days prior to the actual expiration date.
I believe that Microsoft is aware of this and blaming it on NT -


Newsgroups: microsoft.public.windowsxp.security_admin
Date: 2002-02-26 09:36:10 PST
 
This is the email we received from MS:

Thank you for requesting support for Microsoft Windows XP. My name is Roger Peters and I will be working with you to resolve this issue.

In your case you have indicated that you are having an issue with network passwords under Windows XP on your NT Domain Servers.

I have heard of this problem before but to date there has been no resolution that I can find documented. It appears as not to affect all Windows XP PC's.

It may well be that this is a server side issue.

Other than a clean build of Windows XP I can only suggest contacting the NT Server team by calling 0870 6010100.

Other than that it is being looked into but I cannot tell you how long it will be before there is a resolution.

Hopefully this information will clarify the situation.

We appreciate that sometimes the advice we give, by necessity may be quite complex, so if you feel that you need any assistance in working through the
troubleshooting steps given, do not hesitate to call our Telephone Support
Centre on 0870 60 10 100 (Customers phoning from Ireland should dial 706 353 for technical support.), where a technician will be pleased to help you.

In the event we do not hear from you within 5 business days, this case will be archived as resolved. However, you may reopen this case at any time by creating a supplement and we will respond as soon as possible.

If you submitted your incident via Windows XP Online Assisted Support it would be appreciated if you can advise us if the suggestions above solved
your problem.

We trust this will leave you very satisfied with our service and if not,
please let us know.






0
 
LVL 12

Author Comment

by:pjknibbs
Comment Utility
If I don't hear anything within the next few days I'll accept Shekerra's answer, since it at least suggests the problem is known by Microsoft and may be fixed at some future date.
0
 
LVL 12

Author Comment

by:pjknibbs
Comment Utility
No more comments appearing, so Shekerra gets it...
0
 

Expert Comment

by:Leighd
Comment Utility
We have the same set up (NT4.0 domain with a mix of XP, 2000 and Win98 PCs) and the XP machines have exactly the same problem as defined by "pjknibbs."

I've discovered that the XP machines are losing their internal trust relationship with the domain controller. To prove this, the next time this happens, go to Server Manager on the NT domain controller and double-click the machine name at fault. A dialog box pops up stating the "Trust relationship is no longer valid" or words to that effect.

The solution I found so far is to:

1. On the domain controller, remove the offending machine name from the domain using Server Manager

2. Login in locally as Administrator on the offending machine and remove it from the domain and revert it to be in a workgroup.  You'll have to reboot for this to happen.

3. After the reboot, login in again as Administrator and rejoin the domain.

Once the PC has rebooted you will htne be prompted to change the password as normal.




3.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

cPanel is a Unix based web hosting control panel that provides a graphical interface and automation tools designed to simplify the process of hosting a web site. cPanel utilizes a 3 tier structure that provides functionality for administrators, rese…
We have adopted the strategy to use Computers in Student Labs as the bulletin boards. The same target can be achieved by using a Login Notice feature in Group policy but it’s not as attractive as graphical wallpapers with message which grabs the att…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now