• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 488
  • Last Modified:

Why am I getting a password expiration notice in OWA when the AD password is not due to expire for another 100 days or so?

We recently implemented Fine Grain Password Policies so that we could have different policies for different users. We created two security groups - one for accounts that should have the policy and one for accounts that shouldn't have the policy. Passwords expire in 120 days. I have confirmed that security settings in the default domain policy are not defined.  (They are not defined in any other policy either but it is my understanding that the default domain policy takes precedence over all other policies which is why we needed to use FGPP.)

Approximately half of our users access their e-mail through Outlook Web Access. Some of these users are starting to see a notice in OWA that says their password is going to expire in 1 or 10 or 14 days but their network password is not set to expire for at least another 100 days. Why are they seeing this prompt?

In Exchange (2010) OWA is configured for integrated windows authentication using forms-based authentication with user name only. IIS has only Anonymous Authentication enabled which may be part of the problem but I want to be sure.

Any and all help appreciated!

Mary Pat Conroy
Information Systems Manager
0
Mary Pat Conroy
Asked:
Mary Pat Conroy
  • 3
  • 2
1 Solution
 
MaheshArchitectCommented:
You are right
FGPP are there to override default domain password policy
However, You have not set any password policy at domain level, this might be the cause you are getting password prompts from owa

Have you verified that FGPPs are configured correctly?
If FGPP settings are enforced on users, you can check with below PowerShell command on 2k8 R2 and above DC from AD PowerShell Module
Get-ADUserResultantPasswordPolicy username | fl

https://social.technet.microsoft.com/Forums/en-US/6d1e6442-eb0a-4d56-8261-fd722bccf50f/fgpp-vs-domain-policy?forum=winserverGP

You can try below.
1st ensure that users are part of those groups configured in FGPP
Set default password policy in default domain policy, reboot PDC server to take this effect.
After that check if any user is getting password prompt again from owa
0
 
Mary Pat ConroyAuthor Commented:
Hi, Mahesh!  Thanks for the reply.

I did verify that the FGPP is configured correctly using the PowerShell command you provided.  I also confirmed that the users are in the correct groups to apply/not apply the FGPP.

I have not, as yet, changed the default domain policy because I have accounts with passwords that should never expire.  Their accounts in AD are set to never expire but I would like to confirm that setting will override any expiration setting in the default domain policy.

Interestingly enough, my OWA account said my password was going to expire yesterday. I ignored it to see what would happen and I had no problem accessing network resources today so clearly the FGPP overrides the setting that OWA is getting and the message can basically be ignored.  

However, it appears that ActiveSync is getting the same expiration time that OWA gets and it is causing a huge problem with users who get email on their phones.  Their phones keep sending the password - which is correct - but ActiveSync sees it as expired and after the phone sends the password three times, the user's account gets locked!

I suspect that changing the default password policy will solve this issue as well so if you can confirm that the Never Expires setting overrides the default domain policy I will give that a try.

Thanks for you help!

Mary Pat
0
 
MaheshArchitectCommented:
If you set flag "Password never expires" in user account properties in AD, definitely it will override whatever set in default domain policy
That's how service accounts are configured in active directory

Since you want to apply FGPP to these user accounts, Note that in FGPP you need to set value of msDS-MaximumPasswordAge attribute to "(Never)" without Quotes.
This will ensure that password will never expires for those user accounts
0
 
Mary Pat ConroyAuthor Commented:
Thanks for the confirmation, Mahesh.  I suspected that to be the case but I have never had cause to test it before so I figured it was best to be sure! :)

FYI, I do not have an FGPP set up for the user accounts that don't expire. (I do put them in a separate group just in case I want to do so in the future.)  I only have one FGPP set up for the accounts I do want to apply password policies to and that policy only applies to only one group.  

I will change the default domain policy setting and let you know how I make out!  Thanks again for your help!

Mary Pat
0
 
MaheshArchitectCommented:
OK
In addition to above, In feature, If you want to apply FGPP for these non-expiring password users in case, make sure to set msDS-MaximumPasswordAge attribute to "(Never)" without Quotes in that FGPP, otherwise FGPP settings will might get overwritten.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Windows 7 Basic

This introductory course to Windows 7 environment will teach you about working with the Windows operating system. You will learn about basic functions including start menu; the desktop; managing files, folders, and libraries.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now