Solved

Users logging on to domain accounts with current password despite "User must change password at next logon" flag

Posted on 2013-06-26
7
380 Views
Last Modified: 2014-07-31
Hey folks,

After flagging multiple domain user accounts with the "User must change password at next logon" flag in Active Directory Users and Computers, hours later upon logging in a percentage of them are still able to login using their locally cached password credentials.  Upon logging in, they are soon afterwards prompted with a popup asking them to log in with their current credentials (see embedded image).

current credential request
INFO:

*All computers are attached via ethernet cable to the internal network
*All computer accounts and user accounts are in good/equivalent standing on our network, with the same memberships

Frankly, I'm stumped.  How can we ensure that the "must change password" flag snags all of our users before logging on, and not just some?

Thanks.
0
Comment
Question by:Demolay
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 39278192
a percentage of them are still able to login using their locally cached password credentials  That means that they don't have access to the domain controller during the logon phase which they NEED to have..
0
 

Author Comment

by:Demolay
ID: 39278220
"That means that they don't have access to the domain controller during the logon phase which they NEED to have.. "

The machines are attached directly to our internal network (and can be seen, for instance, from the domain controller via management tools or pinging) and have this issue despite that.
0
 
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 39278255
When the machine boots up the network is not ready and they are logging on before the network is stable and authenicating with a domain controller and the machine is using the cached credentials.

Add a Group Policy
Computer Configuration|Administrative Templates|System|Logon|Always wait for the network at computer startup and logon

gpupdate /force
0
Turn Insights Into Action

You’ve already invested in ITSM tools, chat applications, automation utilities, and more. Fortify these solutions with intelligent communications so you can drive business processes forward.

With xMatters, you'll never miss a beat.

 

Author Comment

by:Demolay
ID: 39278405
That's definitely a solution, but shouldn't a 30 minute window (or a 2 hour window) be enough for the client nodes to communicate automatically with the domain controller?  Is there something I can enter on the command line to "synchronize" the DC with the client computers in terms of account credentials?
0
 
LVL 55

Expert Comment

by:McKnife
ID: 39279994
I've seen this problem before. Back then, it was a problem with client security software that simply changed the client-server communication only after logon.
So for a test, uninstall your AV/firewall software if present and reboot. Also update your NIC drivers.
0
 
LVL 2

Accepted Solution

by:
titan123 earned 500 total points
ID: 39289251
There are some scripts that are help full at this case...

Please have a look at this scripts...

http://gallery.technet.microsoft.com/scriptcenter/7e44bd45-f49f-4e47-ae00-b18f544e478f

Moreover a same thread as compared to your thread..

http://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/6074518c-354b-495c-8ec2-b53eeb38a884/forcing-user-to-change-password-on-next-logon

Thanks.
0

Featured Post

Turn Insights into Action

Communication across every corner of your business is essential to increase the velocity of your application delivery and support pipeline. Automate, standardize, and contextualize your communication processes with xMatters.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question