Users changing passwords under AD

I am running an AD environment on Win 2003 servers with win2k and winxp clients.  I currently have user passwords set to expire every 3 months.  They do get a warning some days in advance of the expiration (if they actually log off their machine).  Many do not logout ever....   Because of this they run into a problem when the do exchange from home or try to login through our VPN.  (Our VPN is using IAS and the AD accounts to authenticate.)

Is there some way that they could change their password if they were to login using the web version of  exchange?  Or could IAS prompt them for a password change when they login using VPN?  We are using the Cisco VPN product.

One person mentioned that at one company they would get the notification about their password but it would not lock them out when the connected via outlook or exchange-web or vpn.

Any thoughts on what is the best way to handle this?  I will state right now that I cannot force the users to logout of their desktops periodically.

Who is Participating?
mikeleebrlaConnect With a Mentor Commented:
>>Is there some way that they could change their password if they were to login using the web version of  exchange?
sure, after it is setup they will just need to go to options>change password.
in order to change passwords via OWA you must have an SSL cert on your exchange server.
Hello !!!

Still remains one problem. Login in with the domain account agains IAS via VPN...

I guess I would implement a policy to force logoff... Thus forcing the user to logon and receive the warning and renew the password...


hello   !!!!!  asrdias

i can see you have been on EE for a grand total of two days.  Please try to to conduct yourself a little more professionally and refrain from using smart a$$ comments like "Hello !!!".  It simply serves no purpose here.

as i indicated i answered one of the several questions that louisbohm asked.  

yes a force logout would work to resolve some of the issues he is experiencing, but he specifically asked if you can change passwords via OWA, which you can.  I simply posted the answer to one of his specific questions.  No need for all this "hello!!!" stuff.  i hope you don't talk to your peers like that.

Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

Hello !!! mikeleebrla  ( I like it this way... It's more human...)

Question 1: Is there some way that they could change their password if they were to login using the web version of  exchange? Solved on the answer to question 2...

Question 2: could IAS prompt them for a password change when they login using VPN? NO ! Use Policies to force logoff...Thus forcing the user to logon and receive the warning and renew the password...

To be as more professional as I can I will explain why I answer this way with a question:

Shell a Systems administrator make it easy for EVERYONE to gain access to their private systems ?


Guys guys too much private chat lets just stick to the question please.

Louis you can force the users to log off but is this a safe action, a hard shutdown could cause problems.
Quote from MS Artical I know it is for windows 2000 but they are pretty similar to windowsxp..
Workstations that are left logged on may represent a security risk for an organization.
 Many networks allow users to leave programs running and to remain logged on to their computers for an undefined time period. The Microsoft Windows 2000 Resource Kit includes the Winexit.scr tool that you can use to automatically quit a user's programs and to log the user off of the workstation.
How to Configure the Winexit.scr Screen Saver
1. Use Windows Explorer to locate the Winexit.scr file in the Windows 2000 Resource Kit folder on your hard disk.
2. Right-click the Winexit.scr file, and then click Install.
3. The Display Properties dialog box appears with the Screen Saver tab active. The Logoff Screen Saver entry is automatically selected. Click Settings.
4. Select the Force application termination check box to force programs to quit.
5. In the Countdown for n seconds box, type the number of seconds for which the logoff dialog box appears before the user is logged off.
6. In the Logoff Message box, type the message that appears during the logoff countdown. Click OK.
7. In the Display Properties dialog box, click Preview.
8. You see the Auto Logoff dialog box. It displays the logoff message and the countdown timer. Click Cancel.
9. Click OK.
The Force application termination option forces programs to quit even if the programs contain unsaved data. If you do not use this option, programs that contain unsaved data do not quit and the user is not logged off. It is a good idea to set your corporate policy to automatically save user documents if you use the Force application termination option.

from our EE database
Force a User to Logoff

hope this helps you good luck
Cheers Merete
Thats a good suggestion Merete.

The only thing I am trying to do here is to help...

I also found some information that ISA server 2006 allow a user with an expired password to be changed.
Here's the quote:

When using forms-based authentication, you can inform users that their passwords are going to expire in a specific number of days and you can enable your users to change their passwords so they do not expire. Users will also be able to change an expired password.

Here's the link:

I am not sure if any other VPN products allow this.

Additionaly you might want to check if you VPN product can use MSchap or MSchap v2...

If a user attempt authenticates using MS-CHAP using an expired password, MS-CHAP prompts the user to change the password while connecting to the server. Other authentication protocols do not support this feature effectively locking out the user who used the expired password.

The source of this information:


any comments from  louisbohm ??
I suspect that some of these workstations have apps that need to always run in the user's context, so logging out may not be an option, but what about locking the workstations? I may be wrong, but doesn't locking the workstation force a password change when it's unlocked? You may need to enable the "Interactive logon: Require Domain Controller authentication to unlock workstation" policy. This would be far less intrusive to the users than forcing a log-off.

Even if unlocking the workstation doesn't trigger a password change notification, I'd highly recommend implementing a policy that forces the workstations to auto-lock after a set period of time. Having a bunch of unlocked workstations defeats security measures such as a password expiration policy, since somebody could just walk up to a workstation and get full acess without a password.

By the way, concering the "hello!!!" introduction, I think asrdias was just trying to be friendly. I read it more of an over-zealous greeting by a non-native speaker than an attempt at a wise crack.

louisbohmAuthor Commented:
It has been years since I have heard such interesting commentary.

Anyway, I cannot force the users off.  First off I would end up losing my job.  Secondly, 90% of my users us their windows machine to access Unix/Linux servers where they do most of their work.  A forced log off might save windows programs but would just crash XWindows.

I do like a couple of suggestions made here and will have to research them some more:

1. mikeleebrla's way of changing a users password in OWA.  I thought I had remembered seeing this at one point but was not sure.
2. asrdias's comment that if the VPN is running ms-chap IAS might be able to allow a password change.  I do not honestly remember what options I used to setup VPN with IAS but I will have to check this out.  He/She made a good comment that may be Cisco might have a suggestion as to how IAS could allow a user to change his/her password through the VPN client.  I will have to call them if option 1 does not work or is to difficult.

Lastly, you all do realize that you wasted more space arguing over what is professional communications then just ignoring it.

Anyway, I am going to start testing and will get back to you all...
louisbohmAuthor Commented:
Well I am not sure how to score this one...

After reading what mikeleebrla I went looking some more and I found this site:
Very simple and it seems to work.  I am going to have a user test it tonight and if he can change his password then I will expire his password and have him retry it.

I may not have pointed out the problem my users are having.  They will stay logged in for a long time and then their password will expire on them.  those who actually get the expiration message generally ignore it until it locks them out.  When that happens and they are here that is fine they can then still change their own password.  It is the users who are on the road who get into trouble.  For example my boss called me from China to have me reset his password so he could login and get a file for a potential client who was sitting there waiting on him.  Of course he had ignored the change password message and only remembered it while on the plane to China.  It is problems like these I am trying to deal with.  (And believe it or not my boss was the one to set up most of this years ago.)


I think I am lost now ... Is it possible to login into OWA with a expired password in order to change it ?

Any comments ?

Just an FYI, if you enable the "Start Before Logon" in the Cisco VPN Windows Login Properties, when users connect, they will be prompted to change their password soon as they attempt to login.
louisbohm morning from here :)
don't score rewards should only be for good suggestions.
In my opinion you kind had to resolve it yourself.
I also concur with forcing users to log off it could be dangerous, I thought you had asked about that?

 but I was having difficulty knowing who was posting to whom with all the comments..
 it is okay by me unless others will argue over it :D
if you dont wish to continue simply request a refund  as no answers assisted you.
If you look to the top of the page here see the words HELP.
Here is  how to>>closing a question  help

If you still have any probs  you can always repost it  at>>Windows Server 2003

Have a Nice day
regards Merete

louisbohmAuthor Commented:
This is the strangest posting I have ever seen.  So I think it time to clear up some things.

1. I never asked for help forcing a user to log off.  
2. mikeleebrla did give me some assistance.  As far as I am concerned pointing me down the right direction is assistance.
3. I did not know that setting the Cisco VPN to "Start Before Logon" would allow users to change their password.  It is a good idea but as some of my Cisco clients are on personal home machines I am not sure of the effects to their machines.  I will keep this one in reserve though.
4. No it is not possible to login with an expired password.  However, if you are at the state where you are being forced to change your password before it will let you do anything you can still login to change your password.  This has been a pain in my side for a while now.  I am still waiting for my tester to let me know the results but I am betting it works.  So going forward when a user tries to VPN in and they are at the state where they must change their password they will be able to login using OWA and no VPN, change their password and then reconnect through the VPN.

I hope that clears up some things...

louisbohmAuthor Commented:
Well I have implemented the OWA option and it works for the most part.  I am still unable to test what happens when a password is about to expire.  When I told my users about changing their passwords in OWA I did ask if anyone had a  password which was about to expire and was willing to test with me.  Still no answer.

I do know that if you have a user who has never logged in before to a windows domain account (a new user) they cannot login to OWA or outlook.  Seems dumb but I know it will not let you in.  Also, if you click "User must change password at next login" that user cannot login to OWA or outlook.

Anyway I think the best answer here was the OWA suggestion and so I will award the points to mikeleebrla.  But thanks to every one who answered.  It gave me a lot to think about.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.