Solved

SBS 2011 - Enforcing remote user password policy

Posted on 2013-07-01
5
1,097 Views
Last Modified: 2013-10-22
We are just about to enforce a simple password policy of 'must change password at next login'.
For network users this is no problem.
However half our staff work remotely and it may be several weeks before they get to login at Head Office again.
If I enforce the rule in AD for the next login, how will it affect them?
Can I just get them to CTRL+Alt+Delete and 'Change Password'?

We are running Windows SBS 2011. There are no VPN or Terminal server connections.
The remote users are on a mixture of XP and Windows 7 laptops and iPhones.
80% use their laptops and Outlook connecting to Exchange using HTTP.
10% use their laptops and Outlook Web Access.
10% Use iPhones.

The laptop users still login to the OurDomain rather than Local Machine when logging into their laptops. this has the added benefit of being able to open our SharePoint site without having to login again.
How will the password change affect this?

Thanks for your time.
0
Comment
Question by:NELMO
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 43

Expert Comment

by:Amit
ID: 39290655
If they are login to domain, new gpo will take the effect, or you can ask use to run, gpupdate /force

run rsop.msc to confirm then result.
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 39291042
I wouldn't implement a password policy like this. The way that your users login will mean they will get kicked out with no means to change their password. If you have no VPN then their password will expire on the network and generally make a mess.

Are you planning to make them change their passwords regularly? If so you will need a VPN so the machine level account can be changed. I would also enable the option to allow an expired password to be reset through OWA so that there is a second option if the user gets locked out by an expired password.

Simon.
0
 

Author Comment

by:NELMO
ID: 39309707
sembee2

I would want them to change their passwords every 6 months and would rather not go through all the complexity of setting up VPN connections for these remote users.

The second option (OWA) looks like it could be the solution, many use OWA as they get connected to their inbox quicker then waiting for Outlook over HTTP to load.
Is the enable the option to allow password reset through OWA a global setting?
Where do I access it?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39309861
You will need to use a fine grained password policy for those users.
This is the long way of doing it:
http://www.msserverpro.com/configuring-fine-grained-password-policies-in-windows-server-2008-r2/

However there is a tool to do it for you, which is available here:
http://blogs.chrisse.se/quick-start-guide-for-fine-grain-password-policy-tool/
(Download link at the top of the page).

Change password through OWA is a global setting, as it is applied to Exchange.
http://technet.microsoft.com/en-us/library/bb684904(v=exchg.141).aspx

However if they have machines that are members of the domain, then my previous advice about using a VPN still stands.

Simon.
0
 

Author Closing Comment

by:NELMO
ID: 39590588
The OWA route works for us. Although not actually 'enforcing' it is a step along the way to keep reminding everyone about security.

Sorry I'm so late replying. I implemented this quite soon after your answer and I haven't been on this site since.
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
Check out this step-by-step guide for using the newly updated Experts Exchange mobile app—released on May 30.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question