Solved

Users logging on to domain accounts with current password despite "User must change password at next logon" flag

Posted on 2013-06-26
7
378 Views
Last Modified: 2014-07-31
Hey folks,

After flagging multiple domain user accounts with the "User must change password at next logon" flag in Active Directory Users and Computers, hours later upon logging in a percentage of them are still able to login using their locally cached password credentials.  Upon logging in, they are soon afterwards prompted with a popup asking them to log in with their current credentials (see embedded image).

current credential request
INFO:

*All computers are attached via ethernet cable to the internal network
*All computer accounts and user accounts are in good/equivalent standing on our network, with the same memberships

Frankly, I'm stumped.  How can we ensure that the "must change password" flag snags all of our users before logging on, and not just some?

Thanks.
0
Comment
Question by:Demolay
7 Comments
 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 39278192
a percentage of them are still able to login using their locally cached password credentials  That means that they don't have access to the domain controller during the logon phase which they NEED to have..
0
 

Author Comment

by:Demolay
ID: 39278220
"That means that they don't have access to the domain controller during the logon phase which they NEED to have.. "

The machines are attached directly to our internal network (and can be seen, for instance, from the domain controller via management tools or pinging) and have this issue despite that.
0
 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 39278255
When the machine boots up the network is not ready and they are logging on before the network is stable and authenicating with a domain controller and the machine is using the cached credentials.

Add a Group Policy
Computer Configuration|Administrative Templates|System|Logon|Always wait for the network at computer startup and logon

gpupdate /force
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 

Author Comment

by:Demolay
ID: 39278405
That's definitely a solution, but shouldn't a 30 minute window (or a 2 hour window) be enough for the client nodes to communicate automatically with the domain controller?  Is there something I can enter on the command line to "synchronize" the DC with the client computers in terms of account credentials?
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39279994
I've seen this problem before. Back then, it was a problem with client security software that simply changed the client-server communication only after logon.
So for a test, uninstall your AV/firewall software if present and reboot. Also update your NIC drivers.
0
 
LVL 2

Accepted Solution

by:
titan123 earned 500 total points
ID: 39289251
There are some scripts that are help full at this case...

Please have a look at this scripts...

http://gallery.technet.microsoft.com/scriptcenter/7e44bd45-f49f-4e47-ae00-b18f544e478f

Moreover a same thread as compared to your thread..

http://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/6074518c-354b-495c-8ec2-b53eeb38a884/forcing-user-to-change-password-on-next-logon

Thanks.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question