Solved

SBS 2011 - Enforcing remote user password policy

Posted on 2013-07-01
5
1,060 Views
Last Modified: 2013-10-22
We are just about to enforce a simple password policy of 'must change password at next login'.
For network users this is no problem.
However half our staff work remotely and it may be several weeks before they get to login at Head Office again.
If I enforce the rule in AD for the next login, how will it affect them?
Can I just get them to CTRL+Alt+Delete and 'Change Password'?

We are running Windows SBS 2011. There are no VPN or Terminal server connections.
The remote users are on a mixture of XP and Windows 7 laptops and iPhones.
80% use their laptops and Outlook connecting to Exchange using HTTP.
10% use their laptops and Outlook Web Access.
10% Use iPhones.

The laptop users still login to the OurDomain rather than Local Machine when logging into their laptops. this has the added benefit of being able to open our SharePoint site without having to login again.
How will the password change affect this?

Thanks for your time.
0
Comment
Question by:NELMO
  • 2
  • 2
5 Comments
 
LVL 41

Expert Comment

by:Amit
ID: 39290655
If they are login to domain, new gpo will take the effect, or you can ask use to run, gpupdate /force

run rsop.msc to confirm then result.
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 39291042
I wouldn't implement a password policy like this. The way that your users login will mean they will get kicked out with no means to change their password. If you have no VPN then their password will expire on the network and generally make a mess.

Are you planning to make them change their passwords regularly? If so you will need a VPN so the machine level account can be changed. I would also enable the option to allow an expired password to be reset through OWA so that there is a second option if the user gets locked out by an expired password.

Simon.
0
 

Author Comment

by:NELMO
ID: 39309707
sembee2

I would want them to change their passwords every 6 months and would rather not go through all the complexity of setting up VPN connections for these remote users.

The second option (OWA) looks like it could be the solution, many use OWA as they get connected to their inbox quicker then waiting for Outlook over HTTP to load.
Is the enable the option to allow password reset through OWA a global setting?
Where do I access it?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39309861
You will need to use a fine grained password policy for those users.
This is the long way of doing it:
http://www.msserverpro.com/configuring-fine-grained-password-policies-in-windows-server-2008-r2/

However there is a tool to do it for you, which is available here:
http://blogs.chrisse.se/quick-start-guide-for-fine-grain-password-policy-tool/
(Download link at the top of the page).

Change password through OWA is a global setting, as it is applied to Exchange.
http://technet.microsoft.com/en-us/library/bb684904(v=exchg.141).aspx

However if they have machines that are members of the domain, then my previous advice about using a VPN still stands.

Simon.
0
 

Author Closing Comment

by:NELMO
ID: 39590588
The OWA route works for us. Although not actually 'enforcing' it is a step along the way to keep reminding everyone about security.

Sorry I'm so late replying. I implemented this quite soon after your answer and I haven't been on this site since.
0

Featured Post

Why spend so long doing email signature updates?

Do you spend loads of your time carrying out email signature updates? Not very interesting are they? Don’t let signature updates get you down. Let Exclaimer Cloud - Signatures for Office 365 make managing email signatures a breeze.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Find out what you should include to make the best professional email signature for your organization.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now