Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Force password age to reach policy limits in Active Directory

Posted on 2007-07-23
10
Medium Priority
?
370 Views
Last Modified: 2008-06-27
Hello, I need to force passwords to expire in Active Directory. I'm currently testing password reset through Outlook Web Access and need to duplicate the user experience of the end user. I can't simply say password will expire on said date, or force the password to reset at next logon. I'm looking for some kind of utility that will allow me to change the date at which the password was last set on a user account.
0
Comment
Question by:daramooka
  • 4
  • 4
9 Comments
 
LVL 18

Expert Comment

by:Don S.
ID: 19549344
For testing purposes, just set the test user to password expired.  OWA behaves the same way as if the password expiration date had passed.  Make sure to restart IIS on your exchange server or wait for the cached credentials to expire in IIS before attempting to test through OWA otherwise you will drive yourself nuts.
0
 

Author Comment

by:daramooka
ID: 19549428
The problem is, their are about 5 password reset pages. I need to completely reproduce the potential issues my end uses may be having. With that said, I don't want to leave anything to chance and want to reproduce the environment as much as possible. I also don't want to have to modify group policy too much as well. I have about 500+ users operating in multiple regions, so I can't leave anything to chance.
0
 
LVL 18

Expert Comment

by:Don S.
ID: 19549535
There is only one main password change page (aexp.asp) that comes up with an expired password (regardles of how it has expired).  The other pages come up when the user initiates the password change or in response to invalid user input in the password change process.  
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:daramooka
ID: 19549564
There is still the aexp2.asp, aexp2b.asp, aexp3.asp, aexp4.asp, and aexp4b.asp pages. By editing the pages, we were able to look at the source code on the browser and see the different pages come up.
0
 
LVL 18

Expert Comment

by:Don S.
ID: 19549602
I have never encountered those pages actually being used.  I've only seen aexp.asp acutally used in a password exiration notice.
0
 

Author Comment

by:daramooka
ID: 19549655
Regardless, I would still like to reproduce the user experience. Plus I would really like a utility the allows me to target an account and modify the password age. It would be useful in many scenarios.
0
 
LVL 18

Expert Comment

by:Don S.
ID: 19549788
By checking the "user must change password at next logon" box, you ARE reproducing a password expiration expirence.  There is no actual "date" a password expires on, there are only a count of the number of days since it was last change controlled by the applicable GPO.  When that count exceeds the number of days, AD sets the same flag that you are setting when you check the above mentioned box in their profile.  I know of no utility that would allow you to mess with that counter.
0
 

Author Comment

by:daramooka
ID: 19612906
I was eventually able to reproduce the environment to find out which pages came up. In a lab environment, I determined that different aexp pages come up in different scenarios. If your password is about to expire, you are redirected to anot.asp which ask you if you want to change your password because it will expire. If you say yes, you are redirected to an aexp page. Off of memory, I believe it's aexp2b.asp. If you manually change your password, you are redirected to an aexp2.asp . Last, if your password has expired or if you need to change your password, you are then redirected to a third different aexp asp page. These pages are important if you are, like myself trying to brand your password change IIS/OWA environment. Regardless, all of the aexp pages redirect the user variables to the achg.asp page as the achg page is the main mechanism for this entire password process.
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 21888908
PAQed with points refunded (500)

Computer101
EE Admin
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question