"Change password at first logon" not working correctly

Posted on 2004-10-21
Medium Priority
Last Modified: 2008-01-16
We just finished migrating 4 companies with 4 different domains (NT & 2000) into one single windows 2003 domain.
everything, so far, seems to be working fine except when it comes to forcing a user to change a password at next  logon.

When I select this option on the server, a user can still login into windows using his/her old password. However, when he tries to access a network share on the server, the system prompts him that his password needs to be changed before he can access the share. The user then logs out of windows and when he logs back in, he gets prompted to change his/her password. its like the active directory does not sense that a user's password needs to be changed untill an attempt to access a network share is made! very odd.

the setup is 2x server 2003 domain controllers with one of them running exchange 2003. Both are DNS servers and one is a DHCP server. About 70 users running a mix of windows 2000 and XP. DNS seems to be working fine on the network (nslookup is happy).

any ideas or questions?
thanks for any help in advance.
Question by:lehan
  • 3
  • 2

Expert Comment

ID: 12375712
It sounds like your Group Policies aren't consistent.

I'm assuming since you said they have "old" passwords that the previous user accounts were migrated in, and you're not talking about creating new users and checking the box for "change password" during account creation.

I would check to make sure the group policy forcing the change password (and other account security) is at the domain level and is being enforced. If it's at a lower level (such as the local machine/server), it might be why it's only being showing up when they try and access the local files on the server (which may be where you have the policy applied).

I hope that made sense! ;)


Author Comment

ID: 12375867
Mike, actually no, the accounts were newly created. we set everyone up with a new account and a default password, logged into their machines using the new account and defualt password, setup a few things on their machines (Outlook, IE..etc) then logged out and on the server checked the "user must change password..." option for all accounts. When a user logs in using their default password, they should be prompted to change it, but they are not!

We are using a group policy for password settings, so your assumption might be true.
Since we have 4 companies on one domain, we created 4 OU's for each company. We then changed the group password policy for the whole domain (let's call it xyz). Is this the correct way or do we actually have to create a password group policy for each OU?

Thanks for the help so far.

Expert Comment

ID: 12376608
Well. . .it depends. If your policies in the OU's are blocking inheritance from the domain, then that's the problem.

Also, are your users logging into their computers with a local account or as a domain account.

If they are logging in as a local account, the policy would also have to be applied to the container that has your computers in it. Otherwise, as in the other scenerio, the policy wouldn't be affected until the needed to use a domain resource.
Take Control of Web Hosting For Your Clients

As a web developer or IT admin, successfully managing multiple client accounts can be challenging. In this webinar we will look at the tools provided by Media Temple and Plesk to make managing your clients’ hosting easier.


Author Comment

ID: 12376817
users are logging in as a domain account. no local accounts are allowed except for local admin account.

I will check the OU policies next time I am on site, I don't think we created any new policies for OU's since the domain is still new. I am sure no password policies were created at least. it seems like other passowrd policies are working fine (i.e. we made min password length to be 6 and requires a letter and number only) which is working fine.

I'll let you know shortly if that's the problem.


Expert Comment

ID: 12376881
While you're there, don't forget that all of the password protocols such as complexity requirements are also set in policy for the local machine, which in this case is the server.

There's a good chance that what you think are those policies applying properly are actually the box policies that were'nt accounted for.

Good luck.
LVL 26

Accepted Solution

Vahik earned 400 total points
ID: 12389027
Account policies that are not applied at domain level(in ur case it must be OU level)
will only affect local account database of any computer in that OU.It wont affect any
user authenticating with the domain when using the computer.so u can only have one
enforceable account policy as long as it is set at the domain level.if ur forset is consist of
many domains then the policy must be set at each domain.
So what is happening to ur users?I say u have account policies set at diffrent OU levels
and" user must change password"at ur domain level which allows users to log in to ur
domain with the local security account management of their computer first and when
using resources of the domain account policies of domain applied to them.
confused?well that is the purpose of active directory.
Not writting for the points just making a comment.
take care and good luck.


Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Planning to migrate your EDB file(s) to a new or an existing Outlook PST file? This video will guide you how to convert EDB file(s) to PST. Besides this, it also describes, how one can easily search any item(s) from multiple folders or mailboxes…
Is your organization moving toward a cloud and mobile-first environment? In this transition, your IT department will encounter many challenges, such as navigating how to: Deploy new applications and services to a growing team Accommodate employee…
Suggested Courses
Course of the Month6 days, 14 hours left to enroll

594 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question