Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Why am I getting a password expiration notice in OWA when the AD password is not due to expire for another 100 days or so?

Posted on 2015-01-07
Medium Priority
Last Modified: 2015-02-23
We recently implemented Fine Grain Password Policies so that we could have different policies for different users. We created two security groups - one for accounts that should have the policy and one for accounts that shouldn't have the policy. Passwords expire in 120 days. I have confirmed that security settings in the default domain policy are not defined.  (They are not defined in any other policy either but it is my understanding that the default domain policy takes precedence over all other policies which is why we needed to use FGPP.)

Approximately half of our users access their e-mail through Outlook Web Access. Some of these users are starting to see a notice in OWA that says their password is going to expire in 1 or 10 or 14 days but their network password is not set to expire for at least another 100 days. Why are they seeing this prompt?

In Exchange (2010) OWA is configured for integrated windows authentication using forms-based authentication with user name only. IIS has only Anonymous Authentication enabled which may be part of the problem but I want to be sure.

Any and all help appreciated!

Mary Pat Conroy
Information Systems Manager
Question by:Mary Pat Conroy
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 37

Accepted Solution

Mahesh earned 2000 total points
ID: 40537743
You are right
FGPP are there to override default domain password policy
However, You have not set any password policy at domain level, this might be the cause you are getting password prompts from owa

Have you verified that FGPPs are configured correctly?
If FGPP settings are enforced on users, you can check with below PowerShell command on 2k8 R2 and above DC from AD PowerShell Module
Get-ADUserResultantPasswordPolicy username | fl


You can try below.
1st ensure that users are part of those groups configured in FGPP
Set default password policy in default domain policy, reboot PDC server to take this effect.
After that check if any user is getting password prompt again from owa

Author Comment

by:Mary Pat Conroy
ID: 40538733
Hi, Mahesh!  Thanks for the reply.

I did verify that the FGPP is configured correctly using the PowerShell command you provided.  I also confirmed that the users are in the correct groups to apply/not apply the FGPP.

I have not, as yet, changed the default domain policy because I have accounts with passwords that should never expire.  Their accounts in AD are set to never expire but I would like to confirm that setting will override any expiration setting in the default domain policy.

Interestingly enough, my OWA account said my password was going to expire yesterday. I ignored it to see what would happen and I had no problem accessing network resources today so clearly the FGPP overrides the setting that OWA is getting and the message can basically be ignored.  

However, it appears that ActiveSync is getting the same expiration time that OWA gets and it is causing a huge problem with users who get email on their phones.  Their phones keep sending the password - which is correct - but ActiveSync sees it as expired and after the phone sends the password three times, the user's account gets locked!

I suspect that changing the default password policy will solve this issue as well so if you can confirm that the Never Expires setting overrides the default domain policy I will give that a try.

Thanks for you help!

Mary Pat
LVL 37

Expert Comment

ID: 40539553
If you set flag "Password never expires" in user account properties in AD, definitely it will override whatever set in default domain policy
That's how service accounts are configured in active directory

Since you want to apply FGPP to these user accounts, Note that in FGPP you need to set value of msDS-MaximumPasswordAge attribute to "(Never)" without Quotes.
This will ensure that password will never expires for those user accounts

Author Comment

by:Mary Pat Conroy
ID: 40540154
Thanks for the confirmation, Mahesh.  I suspected that to be the case but I have never had cause to test it before so I figured it was best to be sure! :)

FYI, I do not have an FGPP set up for the user accounts that don't expire. (I do put them in a separate group just in case I want to do so in the future.)  I only have one FGPP set up for the accounts I do want to apply password policies to and that policy only applies to only one group.  

I will change the default domain policy setting and let you know how I make out!  Thanks again for your help!

Mary Pat
LVL 37

Expert Comment

ID: 40540264
In addition to above, In feature, If you want to apply FGPP for these non-expiring password users in case, make sure to set msDS-MaximumPasswordAge attribute to "(Never)" without Quotes in that FGPP, otherwise FGPP settings will might get overwritten.

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are times when we need to generate a report on the inbox rules, where users have set up forwarding externally in their mailbox. In this article, I will be sharing a script I wrote to generate the report in CSV format.
A couple of months ago we ran into an issue that necessitated re-creating our Edge Subscriptions. However, when we attempted to execute the command: New-EdgeSubscription -filename C:\NewEdgeSub_01.xml we received an error indicating that the LDAP se…
how to add IIS SMTP to handle application/Scanner relays into office 365.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question