Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1125
  • Last Modified:

SBS 2011 - Enforcing remote user password policy

We are just about to enforce a simple password policy of 'must change password at next login'.
For network users this is no problem.
However half our staff work remotely and it may be several weeks before they get to login at Head Office again.
If I enforce the rule in AD for the next login, how will it affect them?
Can I just get them to CTRL+Alt+Delete and 'Change Password'?

We are running Windows SBS 2011. There are no VPN or Terminal server connections.
The remote users are on a mixture of XP and Windows 7 laptops and iPhones.
80% use their laptops and Outlook connecting to Exchange using HTTP.
10% use their laptops and Outlook Web Access.
10% Use iPhones.

The laptop users still login to the OurDomain rather than Local Machine when logging into their laptops. this has the added benefit of being able to open our SharePoint site without having to login again.
How will the password change affect this?

Thanks for your time.
0
NELMO
Asked:
NELMO
  • 2
  • 2
1 Solution
 
AmitIT ArchitectCommented:
If they are login to domain, new gpo will take the effect, or you can ask use to run, gpupdate /force

run rsop.msc to confirm then result.
0
 
Simon Butler (Sembee)ConsultantCommented:
I wouldn't implement a password policy like this. The way that your users login will mean they will get kicked out with no means to change their password. If you have no VPN then their password will expire on the network and generally make a mess.

Are you planning to make them change their passwords regularly? If so you will need a VPN so the machine level account can be changed. I would also enable the option to allow an expired password to be reset through OWA so that there is a second option if the user gets locked out by an expired password.

Simon.
0
 
NELMOAuthor Commented:
sembee2

I would want them to change their passwords every 6 months and would rather not go through all the complexity of setting up VPN connections for these remote users.

The second option (OWA) looks like it could be the solution, many use OWA as they get connected to their inbox quicker then waiting for Outlook over HTTP to load.
Is the enable the option to allow password reset through OWA a global setting?
Where do I access it?
0
 
Simon Butler (Sembee)ConsultantCommented:
You will need to use a fine grained password policy for those users.
This is the long way of doing it:
http://www.msserverpro.com/configuring-fine-grained-password-policies-in-windows-server-2008-r2/

However there is a tool to do it for you, which is available here:
http://blogs.chrisse.se/quick-start-guide-for-fine-grain-password-policy-tool/
(Download link at the top of the page).

Change password through OWA is a global setting, as it is applied to Exchange.
http://technet.microsoft.com/en-us/library/bb684904(v=exchg.141).aspx

However if they have machines that are members of the domain, then my previous advice about using a VPN still stands.

Simon.
0
 
NELMOAuthor Commented:
The OWA route works for us. Although not actually 'enforcing' it is a step along the way to keep reminding everyone about security.

Sorry I'm so late replying. I implemented this quite soon after your answer and I haven't been on this site since.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now