"Change password at first logon" not working correctly

We just finished migrating 4 companies with 4 different domains (NT & 2000) into one single windows 2003 domain.
everything, so far, seems to be working fine except when it comes to forcing a user to change a password at next  logon.

When I select this option on the server, a user can still login into windows using his/her old password. However, when he tries to access a network share on the server, the system prompts him that his password needs to be changed before he can access the share. The user then logs out of windows and when he logs back in, he gets prompted to change his/her password. its like the active directory does not sense that a user's password needs to be changed untill an attempt to access a network share is made! very odd.

the setup is 2x server 2003 domain controllers with one of them running exchange 2003. Both are DNS servers and one is a DHCP server. About 70 users running a mix of windows 2000 and XP. DNS seems to be working fine on the network (nslookup is happy).

any ideas or questions?
thanks for any help in advance.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

It sounds like your Group Policies aren't consistent.

I'm assuming since you said they have "old" passwords that the previous user accounts were migrated in, and you're not talking about creating new users and checking the box for "change password" during account creation.

I would check to make sure the group policy forcing the change password (and other account security) is at the domain level and is being enforced. If it's at a lower level (such as the local machine/server), it might be why it's only being showing up when they try and access the local files on the server (which may be where you have the policy applied).

I hope that made sense! ;)

lehanAuthor Commented:
Mike, actually no, the accounts were newly created. we set everyone up with a new account and a default password, logged into their machines using the new account and defualt password, setup a few things on their machines (Outlook, IE..etc) then logged out and on the server checked the "user must change password..." option for all accounts. When a user logs in using their default password, they should be prompted to change it, but they are not!

We are using a group policy for password settings, so your assumption might be true.
Since we have 4 companies on one domain, we created 4 OU's for each company. We then changed the group password policy for the whole domain (let's call it xyz). Is this the correct way or do we actually have to create a password group policy for each OU?

Thanks for the help so far.
Well. . .it depends. If your policies in the OU's are blocking inheritance from the domain, then that's the problem.

Also, are your users logging into their computers with a local account or as a domain account.

If they are logging in as a local account, the policy would also have to be applied to the container that has your computers in it. Otherwise, as in the other scenerio, the policy wouldn't be affected until the needed to use a domain resource.
Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

lehanAuthor Commented:
users are logging in as a domain account. no local accounts are allowed except for local admin account.

I will check the OU policies next time I am on site, I don't think we created any new policies for OU's since the domain is still new. I am sure no password policies were created at least. it seems like other passowrd policies are working fine (i.e. we made min password length to be 6 and requires a letter and number only) which is working fine.

I'll let you know shortly if that's the problem.

While you're there, don't forget that all of the password protocols such as complexity requirements are also set in policy for the local machine, which in this case is the server.

There's a good chance that what you think are those policies applying properly are actually the box policies that were'nt accounted for.

Good luck.
Account policies that are not applied at domain level(in ur case it must be OU level)
will only affect local account database of any computer in that OU.It wont affect any
user authenticating with the domain when using the computer.so u can only have one
enforceable account policy as long as it is set at the domain level.if ur forset is consist of
many domains then the policy must be set at each domain.
So what is happening to ur users?I say u have account policies set at diffrent OU levels
and" user must change password"at ur domain level which allows users to log in to ur
domain with the local security account management of their computer first and when
using resources of the domain account policies of domain applied to them.
confused?well that is the purpose of active directory.
Not writting for the points just making a comment.
take care and good luck.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.