"Change password at first logon" not working correctly

Posted on 2004-10-21
Last Modified: 2008-01-16
We just finished migrating 4 companies with 4 different domains (NT & 2000) into one single windows 2003 domain.
everything, so far, seems to be working fine except when it comes to forcing a user to change a password at next  logon.

When I select this option on the server, a user can still login into windows using his/her old password. However, when he tries to access a network share on the server, the system prompts him that his password needs to be changed before he can access the share. The user then logs out of windows and when he logs back in, he gets prompted to change his/her password. its like the active directory does not sense that a user's password needs to be changed untill an attempt to access a network share is made! very odd.

the setup is 2x server 2003 domain controllers with one of them running exchange 2003. Both are DNS servers and one is a DHCP server. About 70 users running a mix of windows 2000 and XP. DNS seems to be working fine on the network (nslookup is happy).

any ideas or questions?
thanks for any help in advance.
Question by:lehan
    LVL 2

    Expert Comment

    It sounds like your Group Policies aren't consistent.

    I'm assuming since you said they have "old" passwords that the previous user accounts were migrated in, and you're not talking about creating new users and checking the box for "change password" during account creation.

    I would check to make sure the group policy forcing the change password (and other account security) is at the domain level and is being enforced. If it's at a lower level (such as the local machine/server), it might be why it's only being showing up when they try and access the local files on the server (which may be where you have the policy applied).

    I hope that made sense! ;)

    LVL 1

    Author Comment

    Mike, actually no, the accounts were newly created. we set everyone up with a new account and a default password, logged into their machines using the new account and defualt password, setup a few things on their machines (Outlook, IE..etc) then logged out and on the server checked the "user must change password..." option for all accounts. When a user logs in using their default password, they should be prompted to change it, but they are not!

    We are using a group policy for password settings, so your assumption might be true.
    Since we have 4 companies on one domain, we created 4 OU's for each company. We then changed the group password policy for the whole domain (let's call it xyz). Is this the correct way or do we actually have to create a password group policy for each OU?

    Thanks for the help so far.
    LVL 2

    Expert Comment

    Well. . .it depends. If your policies in the OU's are blocking inheritance from the domain, then that's the problem.

    Also, are your users logging into their computers with a local account or as a domain account.

    If they are logging in as a local account, the policy would also have to be applied to the container that has your computers in it. Otherwise, as in the other scenerio, the policy wouldn't be affected until the needed to use a domain resource.
    LVL 1

    Author Comment

    users are logging in as a domain account. no local accounts are allowed except for local admin account.

    I will check the OU policies next time I am on site, I don't think we created any new policies for OU's since the domain is still new. I am sure no password policies were created at least. it seems like other passowrd policies are working fine (i.e. we made min password length to be 6 and requires a letter and number only) which is working fine.

    I'll let you know shortly if that's the problem.

    LVL 2

    Expert Comment

    While you're there, don't forget that all of the password protocols such as complexity requirements are also set in policy for the local machine, which in this case is the server.

    There's a good chance that what you think are those policies applying properly are actually the box policies that were'nt accounted for.

    Good luck.
    LVL 26

    Accepted Solution

    Account policies that are not applied at domain level(in ur case it must be OU level)
    will only affect local account database of any computer in that OU.It wont affect any
    user authenticating with the domain when using the u can only have one
    enforceable account policy as long as it is set at the domain level.if ur forset is consist of
    many domains then the policy must be set at each domain.
    So what is happening to ur users?I say u have account policies set at diffrent OU levels
    and" user must change password"at ur domain level which allows users to log in to ur
    domain with the local security account management of their computer first and when
    using resources of the domain account policies of domain applied to them.
    confused?well that is the purpose of active directory.
    Not writting for the points just making a comment.
    take care and good luck.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Cisco Complete Network Certification Training

    If you’re an IT engineer or technician, it's time you take your career to the next level. This elite training bundle is brimming with all of the information you need to learn to sit for Cisco CNNA, CCNP, and CCENT certification exams.

    So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
    I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
    Want to pick and choose which updates you receive? Feel free to check out this quick video on how to manage your email notifications.
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…

    845 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    5 Experts available now in Live!

    Get 1:1 Help Now