Users logging on to domain accounts with current password despite "User must change password at next logon" flag

Hey folks,

After flagging multiple domain user accounts with the "User must change password at next logon" flag in Active Directory Users and Computers, hours later upon logging in a percentage of them are still able to login using their locally cached password credentials.  Upon logging in, they are soon afterwards prompted with a popup asking them to log in with their current credentials (see embedded image).

current credential request
INFO:

*All computers are attached via ethernet cable to the internal network
*All computer accounts and user accounts are in good/equivalent standing on our network, with the same memberships

Frankly, I'm stumped.  How can we ensure that the "must change password" flag snags all of our users before logging on, and not just some?

Thanks.
DemolayAsked:
Who is Participating?
 
titan123Commented:
There are some scripts that are help full at this case...

Please have a look at this scripts...

http://gallery.technet.microsoft.com/scriptcenter/7e44bd45-f49f-4e47-ae00-b18f544e478f

Moreover a same thread as compared to your thread..

http://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/6074518c-354b-495c-8ec2-b53eeb38a884/forcing-user-to-change-password-on-next-logon

Thanks.
0
 
David Johnson, CD, MVPOwnerCommented:
a percentage of them are still able to login using their locally cached password credentials  That means that they don't have access to the domain controller during the logon phase which they NEED to have..
0
 
DemolayAuthor Commented:
"That means that they don't have access to the domain controller during the logon phase which they NEED to have.. "

The machines are attached directly to our internal network (and can be seen, for instance, from the domain controller via management tools or pinging) and have this issue despite that.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
David Johnson, CD, MVPOwnerCommented:
When the machine boots up the network is not ready and they are logging on before the network is stable and authenicating with a domain controller and the machine is using the cached credentials.

Add a Group Policy
Computer Configuration|Administrative Templates|System|Logon|Always wait for the network at computer startup and logon

gpupdate /force
0
 
DemolayAuthor Commented:
That's definitely a solution, but shouldn't a 30 minute window (or a 2 hour window) be enough for the client nodes to communicate automatically with the domain controller?  Is there something I can enter on the command line to "synchronize" the DC with the client computers in terms of account credentials?
0
 
McKnifeCommented:
I've seen this problem before. Back then, it was a problem with client security software that simply changed the client-server communication only after logon.
So for a test, uninstall your AV/firewall software if present and reboot. Also update your NIC drivers.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.