How long after an AD account password is reset does the user notice?

bungeecork used Ask the Experts™
Hi there,

If I reset a users AD password (directory server is 2008 - workstation is XP)  the users access to the workstation is not immediately affected.  They continue to have access to documents and Exchange emails for some time.  Even if they lock their computer they can unlock it with the old password.

If I reset someones password, what needs to happen beofre the are locked out of the system and how long will that take?

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
If the user knows the password and is logged in, why is the password being reset? If you want to forbid access, you should disable the account, which I believe removes it from ACLs. Password reset should be a restorative action, not an access related action.

The password change should take effect at next logoff/logon.
Users will continue to have access until they log out and attempt to log back in.

The reset will be enforced on the next log in.

The default time for a ticket generated by Kerberos is 10 hours. So I beleive after 10 hours the user will have error when accessing network resources.

Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!


To explain further, it was the users last day with the Firm and the departure was amicable.  She decided to work back after normal office hours to finish some tasks with her managers approval.  

Her account password was reset at the end of the day as per policy.  The goal is to prevent remote access for that account.  We assumed the password reset would only affect new logons and therefore thought the user would be able to work on.  However later the same night they were unable to send emails and reported being locked out from their computer.

The ticket must have expired in the night, assuming teh user came in the day at 9:00 AM and logged into his system.

The AD(kerberos) granted the user with a ticket that was valid for 10 hours. After the ticket expires the ticket is renewed by default but since the credentials were not valid the ticket was not renewed.



We use NTLM not Kerberos.  Does the same apply with NTLM?
Mike ThomasConsultant
Top Expert 2010

You use Kerberos and NTLM, iirc Kerberos it is the default first try protocol, if that fails NTLM will be used.

 SaadAhmedFarooqui is right, if a user is logged in while their password is reset it will have no effect/they will not notice until they need to re-authenticate, which may not be until their current ticket expires or they log off or they need to authenticate to another system....resetting passwords while users are logged in is not normal. Typically you should disable the account or configure the account to expire itself at a set date and time.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial