Solved

Why am I getting a password expiration notice in OWA when the AD password is not due to expire for another 100 days or so?

Posted on 2015-01-07
5
239 Views
Last Modified: 2015-02-23
We recently implemented Fine Grain Password Policies so that we could have different policies for different users. We created two security groups - one for accounts that should have the policy and one for accounts that shouldn't have the policy. Passwords expire in 120 days. I have confirmed that security settings in the default domain policy are not defined.  (They are not defined in any other policy either but it is my understanding that the default domain policy takes precedence over all other policies which is why we needed to use FGPP.)

Approximately half of our users access their e-mail through Outlook Web Access. Some of these users are starting to see a notice in OWA that says their password is going to expire in 1 or 10 or 14 days but their network password is not set to expire for at least another 100 days. Why are they seeing this prompt?

In Exchange (2010) OWA is configured for integrated windows authentication using forms-based authentication with user name only. IIS has only Anonymous Authentication enabled which may be part of the problem but I want to be sure.

Any and all help appreciated!

Mary Pat Conroy
Information Systems Manager
0
Comment
Question by:Mary Pat Conroy
  • 3
  • 2
5 Comments
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
ID: 40537743
You are right
FGPP are there to override default domain password policy
However, You have not set any password policy at domain level, this might be the cause you are getting password prompts from owa

Have you verified that FGPPs are configured correctly?
If FGPP settings are enforced on users, you can check with below PowerShell command on 2k8 R2 and above DC from AD PowerShell Module
Get-ADUserResultantPasswordPolicy username | fl

https://social.technet.microsoft.com/Forums/en-US/6d1e6442-eb0a-4d56-8261-fd722bccf50f/fgpp-vs-domain-policy?forum=winserverGP

You can try below.
1st ensure that users are part of those groups configured in FGPP
Set default password policy in default domain policy, reboot PDC server to take this effect.
After that check if any user is getting password prompt again from owa
0
 

Author Comment

by:Mary Pat Conroy
ID: 40538733
Hi, Mahesh!  Thanks for the reply.

I did verify that the FGPP is configured correctly using the PowerShell command you provided.  I also confirmed that the users are in the correct groups to apply/not apply the FGPP.

I have not, as yet, changed the default domain policy because I have accounts with passwords that should never expire.  Their accounts in AD are set to never expire but I would like to confirm that setting will override any expiration setting in the default domain policy.

Interestingly enough, my OWA account said my password was going to expire yesterday. I ignored it to see what would happen and I had no problem accessing network resources today so clearly the FGPP overrides the setting that OWA is getting and the message can basically be ignored.  

However, it appears that ActiveSync is getting the same expiration time that OWA gets and it is causing a huge problem with users who get email on their phones.  Their phones keep sending the password - which is correct - but ActiveSync sees it as expired and after the phone sends the password three times, the user's account gets locked!

I suspect that changing the default password policy will solve this issue as well so if you can confirm that the Never Expires setting overrides the default domain policy I will give that a try.

Thanks for you help!

Mary Pat
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 40539553
If you set flag "Password never expires" in user account properties in AD, definitely it will override whatever set in default domain policy
That's how service accounts are configured in active directory

Since you want to apply FGPP to these user accounts, Note that in FGPP you need to set value of msDS-MaximumPasswordAge attribute to "(Never)" without Quotes.
This will ensure that password will never expires for those user accounts
0
 

Author Comment

by:Mary Pat Conroy
ID: 40540154
Thanks for the confirmation, Mahesh.  I suspected that to be the case but I have never had cause to test it before so I figured it was best to be sure! :)

FYI, I do not have an FGPP set up for the user accounts that don't expire. (I do put them in a separate group just in case I want to do so in the future.)  I only have one FGPP set up for the accounts I do want to apply password policies to and that policy only applies to only one group.  

I will change the default domain policy setting and let you know how I make out!  Thanks again for your help!

Mary Pat
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 40540264
OK
In addition to above, In feature, If you want to apply FGPP for these non-expiring password users in case, make sure to set msDS-MaximumPasswordAge attribute to "(Never)" without Quotes in that FGPP, otherwise FGPP settings will might get overwritten.
0

Join & Write a Comment

Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now