Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

SBS 2011 - Enforcing remote user password policy

Posted on 2013-07-01
5
Medium Priority
?
1,109 Views
Last Modified: 2013-10-22
We are just about to enforce a simple password policy of 'must change password at next login'.
For network users this is no problem.
However half our staff work remotely and it may be several weeks before they get to login at Head Office again.
If I enforce the rule in AD for the next login, how will it affect them?
Can I just get them to CTRL+Alt+Delete and 'Change Password'?

We are running Windows SBS 2011. There are no VPN or Terminal server connections.
The remote users are on a mixture of XP and Windows 7 laptops and iPhones.
80% use their laptops and Outlook connecting to Exchange using HTTP.
10% use their laptops and Outlook Web Access.
10% Use iPhones.

The laptop users still login to the OurDomain rather than Local Machine when logging into their laptops. this has the added benefit of being able to open our SharePoint site without having to login again.
How will the password change affect this?

Thanks for your time.
0
Comment
Question by:NELMO
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 44

Expert Comment

by:Amit
ID: 39290655
If they are login to domain, new gpo will take the effect, or you can ask use to run, gpupdate /force

run rsop.msc to confirm then result.
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 2000 total points
ID: 39291042
I wouldn't implement a password policy like this. The way that your users login will mean they will get kicked out with no means to change their password. If you have no VPN then their password will expire on the network and generally make a mess.

Are you planning to make them change their passwords regularly? If so you will need a VPN so the machine level account can be changed. I would also enable the option to allow an expired password to be reset through OWA so that there is a second option if the user gets locked out by an expired password.

Simon.
0
 

Author Comment

by:NELMO
ID: 39309707
sembee2

I would want them to change their passwords every 6 months and would rather not go through all the complexity of setting up VPN connections for these remote users.

The second option (OWA) looks like it could be the solution, many use OWA as they get connected to their inbox quicker then waiting for Outlook over HTTP to load.
Is the enable the option to allow password reset through OWA a global setting?
Where do I access it?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39309861
You will need to use a fine grained password policy for those users.
This is the long way of doing it:
http://www.msserverpro.com/configuring-fine-grained-password-policies-in-windows-server-2008-r2/

However there is a tool to do it for you, which is available here:
http://blogs.chrisse.se/quick-start-guide-for-fine-grain-password-policy-tool/
(Download link at the top of the page).

Change password through OWA is a global setting, as it is applied to Exchange.
http://technet.microsoft.com/en-us/library/bb684904(v=exchg.141).aspx

However if they have machines that are members of the domain, then my previous advice about using a VPN still stands.

Simon.
0
 

Author Closing Comment

by:NELMO
ID: 39590588
The OWA route works for us. Although not actually 'enforcing' it is a step along the way to keep reminding everyone about security.

Sorry I'm so late replying. I implemented this quite soon after your answer and I haven't been on this site since.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
Are you an Exchange administrator employed with an organization? And, have you encountered a corrupt Exchange database due to which you are not able to open its EDB file. This article will explain all the steps to repair corrupt Exchange database.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question