Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


"Change password at first logon" not working correctly

Posted on 2004-10-21
Medium Priority
Last Modified: 2008-01-16
We just finished migrating 4 companies with 4 different domains (NT & 2000) into one single windows 2003 domain.
everything, so far, seems to be working fine except when it comes to forcing a user to change a password at next  logon.

When I select this option on the server, a user can still login into windows using his/her old password. However, when he tries to access a network share on the server, the system prompts him that his password needs to be changed before he can access the share. The user then logs out of windows and when he logs back in, he gets prompted to change his/her password. its like the active directory does not sense that a user's password needs to be changed untill an attempt to access a network share is made! very odd.

the setup is 2x server 2003 domain controllers with one of them running exchange 2003. Both are DNS servers and one is a DHCP server. About 70 users running a mix of windows 2000 and XP. DNS seems to be working fine on the network (nslookup is happy).

any ideas or questions?
thanks for any help in advance.
Question by:lehan
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2

Expert Comment

ID: 12375712
It sounds like your Group Policies aren't consistent.

I'm assuming since you said they have "old" passwords that the previous user accounts were migrated in, and you're not talking about creating new users and checking the box for "change password" during account creation.

I would check to make sure the group policy forcing the change password (and other account security) is at the domain level and is being enforced. If it's at a lower level (such as the local machine/server), it might be why it's only being showing up when they try and access the local files on the server (which may be where you have the policy applied).

I hope that made sense! ;)


Author Comment

ID: 12375867
Mike, actually no, the accounts were newly created. we set everyone up with a new account and a default password, logged into their machines using the new account and defualt password, setup a few things on their machines (Outlook, IE..etc) then logged out and on the server checked the "user must change password..." option for all accounts. When a user logs in using their default password, they should be prompted to change it, but they are not!

We are using a group policy for password settings, so your assumption might be true.
Since we have 4 companies on one domain, we created 4 OU's for each company. We then changed the group password policy for the whole domain (let's call it xyz). Is this the correct way or do we actually have to create a password group policy for each OU?

Thanks for the help so far.

Expert Comment

ID: 12376608
Well. . .it depends. If your policies in the OU's are blocking inheritance from the domain, then that's the problem.

Also, are your users logging into their computers with a local account or as a domain account.

If they are logging in as a local account, the policy would also have to be applied to the container that has your computers in it. Otherwise, as in the other scenerio, the policy wouldn't be affected until the needed to use a domain resource.
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 12376817
users are logging in as a domain account. no local accounts are allowed except for local admin account.

I will check the OU policies next time I am on site, I don't think we created any new policies for OU's since the domain is still new. I am sure no password policies were created at least. it seems like other passowrd policies are working fine (i.e. we made min password length to be 6 and requires a letter and number only) which is working fine.

I'll let you know shortly if that's the problem.


Expert Comment

ID: 12376881
While you're there, don't forget that all of the password protocols such as complexity requirements are also set in policy for the local machine, which in this case is the server.

There's a good chance that what you think are those policies applying properly are actually the box policies that were'nt accounted for.

Good luck.
LVL 26

Accepted Solution

Vahik earned 400 total points
ID: 12389027
Account policies that are not applied at domain level(in ur case it must be OU level)
will only affect local account database of any computer in that OU.It wont affect any
user authenticating with the domain when using the computer.so u can only have one
enforceable account policy as long as it is set at the domain level.if ur forset is consist of
many domains then the policy must be set at each domain.
So what is happening to ur users?I say u have account policies set at diffrent OU levels
and" user must change password"at ur domain level which allows users to log in to ur
domain with the local security account management of their computer first and when
using resources of the domain account policies of domain applied to them.
confused?well that is the purpose of active directory.
Not writting for the points just making a comment.
take care and good luck.


Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …
Screencast - Getting to Know the Pipeline
Suggested Courses

598 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question