Solved

Server 2008 R2 Active Directory

Posted on 2013-06-11
4
329 Views
Last Modified: 2013-06-11
I have an internal application which links with AD for the password and I'm finding that when the password expires in the middle of the day this causes problems. Is there a way to always make the password expire at midnight regardless of when the user changes it.  Say they set it today ( 6/11/2013 ) at 11:05am and the system then sets the password to expire three months down the road at 9/11/2013 at 11:05am ..... I would prefer the password actually be set to expire at 9/11/2013 at midnight .......

What I'm finding is the users wait till the last minute to change their password and then they can't log into our internal app or exchagne in the middle of the day because  the system has expired their password in the middle of the day ........  

THanks .....

Joel T Brown
0
Comment
Question by:jtbrown1111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 5

Expert Comment

by:peter197911
ID: 39239492
I don't have a proper on your question.

Part of the problem:  Users should change their password.
I think you can use this example to the company to show the importance of changing your password when windows asks for it.

And the users will have the problems theirselves....
0
 

Author Comment

by:jtbrown1111
ID: 39239539
@ peter197911 ,  I would totally agree with you but as a single support for 110 staff of which 22 are doctors its sometimes easier to put things in place that make " MY " life easier when you can't force others to do what they should ......        

THanks ....

Joel
0
 
LVL 5

Accepted Solution

by:
peter197911 earned 500 total points
ID: 39239583
Copy paste from another site:

Windows simply doesn't support the concept of a "password expiry time" that applies globally. You also cannot set the time, except to say it is expired now, or that it was just changed. However, what you could do is write a script using command-line AD tools or powershell that runs nightly: it can query AD for users with passwords due to expire in less than 24h (pwdLastSet is older than one day less than your password max age days), and set it to -1 (the password is expired). This would avoid extending password life unintentionally, and also avoid midday password expiration.

So, for example on Monday, check what passwords are going to expire in the next 5 days.
Set the expire status on  "-1".

Users will be asked in the morning that they have to change their password.

Run this cript once per week and your done...
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39239600
You won't be able to do this as you can't modify pwdlastset.  I feel your pain and have some possible workarounds

1. Use finegrained passwords (FGPP) to set the Dr/VIP/biggest complainers to expire less frequently   Maybe if your policy is every 90 days use a FGPP for 180 days for them

2. This way is not recommended but set their passwords to never expire on their AD account...again not recommended.

Thanks

Mike
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question