Solved

Users logging on to domain accounts with current password despite "User must change password at next logon" flag

Posted on 2013-06-26
7
375 Views
Last Modified: 2014-07-31
Hey folks,

After flagging multiple domain user accounts with the "User must change password at next logon" flag in Active Directory Users and Computers, hours later upon logging in a percentage of them are still able to login using their locally cached password credentials.  Upon logging in, they are soon afterwards prompted with a popup asking them to log in with their current credentials (see embedded image).

current credential request
INFO:

*All computers are attached via ethernet cable to the internal network
*All computer accounts and user accounts are in good/equivalent standing on our network, with the same memberships

Frankly, I'm stumped.  How can we ensure that the "must change password" flag snags all of our users before logging on, and not just some?

Thanks.
0
Comment
Question by:Demolay
7 Comments
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 39278192
a percentage of them are still able to login using their locally cached password credentials  That means that they don't have access to the domain controller during the logon phase which they NEED to have..
0
 

Author Comment

by:Demolay
ID: 39278220
"That means that they don't have access to the domain controller during the logon phase which they NEED to have.. "

The machines are attached directly to our internal network (and can be seen, for instance, from the domain controller via management tools or pinging) and have this issue despite that.
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 39278255
When the machine boots up the network is not ready and they are logging on before the network is stable and authenicating with a domain controller and the machine is using the cached credentials.

Add a Group Policy
Computer Configuration|Administrative Templates|System|Logon|Always wait for the network at computer startup and logon

gpupdate /force
0
 

Author Comment

by:Demolay
ID: 39278405
That's definitely a solution, but shouldn't a 30 minute window (or a 2 hour window) be enough for the client nodes to communicate automatically with the domain controller?  Is there something I can enter on the command line to "synchronize" the DC with the client computers in terms of account credentials?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39279994
I've seen this problem before. Back then, it was a problem with client security software that simply changed the client-server communication only after logon.
So for a test, uninstall your AV/firewall software if present and reboot. Also update your NIC drivers.
0
 
LVL 2

Accepted Solution

by:
titan123 earned 500 total points
ID: 39289251
There are some scripts that are help full at this case...

Please have a look at this scripts...

http://gallery.technet.microsoft.com/scriptcenter/7e44bd45-f49f-4e47-ae00-b18f544e478f

Moreover a same thread as compared to your thread..

http://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/6074518c-354b-495c-8ec2-b53eeb38a884/forcing-user-to-change-password-on-next-logon

Thanks.
0

Join & Write a Comment

Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now