Solved

SBS 2011 - Enforcing remote user password policy

Posted on 2013-07-01
5
1,046 Views
Last Modified: 2013-10-22
We are just about to enforce a simple password policy of 'must change password at next login'.
For network users this is no problem.
However half our staff work remotely and it may be several weeks before they get to login at Head Office again.
If I enforce the rule in AD for the next login, how will it affect them?
Can I just get them to CTRL+Alt+Delete and 'Change Password'?

We are running Windows SBS 2011. There are no VPN or Terminal server connections.
The remote users are on a mixture of XP and Windows 7 laptops and iPhones.
80% use their laptops and Outlook connecting to Exchange using HTTP.
10% use their laptops and Outlook Web Access.
10% Use iPhones.

The laptop users still login to the OurDomain rather than Local Machine when logging into their laptops. this has the added benefit of being able to open our SharePoint site without having to login again.
How will the password change affect this?

Thanks for your time.
0
Comment
Question by:NELMO
  • 2
  • 2
5 Comments
 
LVL 41

Expert Comment

by:Amit
Comment Utility
If they are login to domain, new gpo will take the effect, or you can ask use to run, gpupdate /force

run rsop.msc to confirm then result.
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
Comment Utility
I wouldn't implement a password policy like this. The way that your users login will mean they will get kicked out with no means to change their password. If you have no VPN then their password will expire on the network and generally make a mess.

Are you planning to make them change their passwords regularly? If so you will need a VPN so the machine level account can be changed. I would also enable the option to allow an expired password to be reset through OWA so that there is a second option if the user gets locked out by an expired password.

Simon.
0
 

Author Comment

by:NELMO
Comment Utility
sembee2

I would want them to change their passwords every 6 months and would rather not go through all the complexity of setting up VPN connections for these remote users.

The second option (OWA) looks like it could be the solution, many use OWA as they get connected to their inbox quicker then waiting for Outlook over HTTP to load.
Is the enable the option to allow password reset through OWA a global setting?
Where do I access it?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
You will need to use a fine grained password policy for those users.
This is the long way of doing it:
http://www.msserverpro.com/configuring-fine-grained-password-policies-in-windows-server-2008-r2/

However there is a tool to do it for you, which is available here:
http://blogs.chrisse.se/quick-start-guide-for-fine-grain-password-policy-tool/
(Download link at the top of the page).

Change password through OWA is a global setting, as it is applied to Exchange.
http://technet.microsoft.com/en-us/library/bb684904(v=exchg.141).aspx

However if they have machines that are members of the domain, then my previous advice about using a VPN still stands.

Simon.
0
 

Author Closing Comment

by:NELMO
Comment Utility
The OWA route works for us. Although not actually 'enforcing' it is a step along the way to keep reminding everyone about security.

Sorry I'm so late replying. I implemented this quite soon after your answer and I haven't been on this site since.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Starting imported SBS2011 as VM in HyperV 14 56
outlook 15 42
exchange, virtualization 1 25
Exchange 2010/2013 Admin audits 1 15
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now