Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 385
  • Last Modified:

Users logging on to domain accounts with current password despite "User must change password at next logon" flag

Hey folks,

After flagging multiple domain user accounts with the "User must change password at next logon" flag in Active Directory Users and Computers, hours later upon logging in a percentage of them are still able to login using their locally cached password credentials.  Upon logging in, they are soon afterwards prompted with a popup asking them to log in with their current credentials (see embedded image).

current credential request
INFO:

*All computers are attached via ethernet cable to the internal network
*All computer accounts and user accounts are in good/equivalent standing on our network, with the same memberships

Frankly, I'm stumped.  How can we ensure that the "must change password" flag snags all of our users before logging on, and not just some?

Thanks.
0
Demolay
Asked:
Demolay
1 Solution
 
David Johnson, CD, MVPOwnerCommented:
a percentage of them are still able to login using their locally cached password credentials  That means that they don't have access to the domain controller during the logon phase which they NEED to have..
0
 
DemolayAuthor Commented:
"That means that they don't have access to the domain controller during the logon phase which they NEED to have.. "

The machines are attached directly to our internal network (and can be seen, for instance, from the domain controller via management tools or pinging) and have this issue despite that.
0
 
David Johnson, CD, MVPOwnerCommented:
When the machine boots up the network is not ready and they are logging on before the network is stable and authenicating with a domain controller and the machine is using the cached credentials.

Add a Group Policy
Computer Configuration|Administrative Templates|System|Logon|Always wait for the network at computer startup and logon

gpupdate /force
0
Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

 
DemolayAuthor Commented:
That's definitely a solution, but shouldn't a 30 minute window (or a 2 hour window) be enough for the client nodes to communicate automatically with the domain controller?  Is there something I can enter on the command line to "synchronize" the DC with the client computers in terms of account credentials?
0
 
McKnifeCommented:
I've seen this problem before. Back then, it was a problem with client security software that simply changed the client-server communication only after logon.
So for a test, uninstall your AV/firewall software if present and reboot. Also update your NIC drivers.
0
 
titan123Commented:
There are some scripts that are help full at this case...

Please have a look at this scripts...

http://gallery.technet.microsoft.com/scriptcenter/7e44bd45-f49f-4e47-ae00-b18f544e478f

Moreover a same thread as compared to your thread..

http://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/6074518c-354b-495c-8ec2-b53eeb38a884/forcing-user-to-change-password-on-next-logon

Thanks.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now