Solved

Why am I getting a password expiration notice in OWA when the AD password is not due to expire for another 100 days or so?

Posted on 2015-01-07
5
304 Views
Last Modified: 2015-02-23
We recently implemented Fine Grain Password Policies so that we could have different policies for different users. We created two security groups - one for accounts that should have the policy and one for accounts that shouldn't have the policy. Passwords expire in 120 days. I have confirmed that security settings in the default domain policy are not defined.  (They are not defined in any other policy either but it is my understanding that the default domain policy takes precedence over all other policies which is why we needed to use FGPP.)

Approximately half of our users access their e-mail through Outlook Web Access. Some of these users are starting to see a notice in OWA that says their password is going to expire in 1 or 10 or 14 days but their network password is not set to expire for at least another 100 days. Why are they seeing this prompt?

In Exchange (2010) OWA is configured for integrated windows authentication using forms-based authentication with user name only. IIS has only Anonymous Authentication enabled which may be part of the problem but I want to be sure.

Any and all help appreciated!

Mary Pat Conroy
Information Systems Manager
0
Comment
Question by:Mary Pat Conroy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 37

Accepted Solution

by:
Mahesh earned 500 total points
ID: 40537743
You are right
FGPP are there to override default domain password policy
However, You have not set any password policy at domain level, this might be the cause you are getting password prompts from owa

Have you verified that FGPPs are configured correctly?
If FGPP settings are enforced on users, you can check with below PowerShell command on 2k8 R2 and above DC from AD PowerShell Module
Get-ADUserResultantPasswordPolicy username | fl

https://social.technet.microsoft.com/Forums/en-US/6d1e6442-eb0a-4d56-8261-fd722bccf50f/fgpp-vs-domain-policy?forum=winserverGP

You can try below.
1st ensure that users are part of those groups configured in FGPP
Set default password policy in default domain policy, reboot PDC server to take this effect.
After that check if any user is getting password prompt again from owa
0
 

Author Comment

by:Mary Pat Conroy
ID: 40538733
Hi, Mahesh!  Thanks for the reply.

I did verify that the FGPP is configured correctly using the PowerShell command you provided.  I also confirmed that the users are in the correct groups to apply/not apply the FGPP.

I have not, as yet, changed the default domain policy because I have accounts with passwords that should never expire.  Their accounts in AD are set to never expire but I would like to confirm that setting will override any expiration setting in the default domain policy.

Interestingly enough, my OWA account said my password was going to expire yesterday. I ignored it to see what would happen and I had no problem accessing network resources today so clearly the FGPP overrides the setting that OWA is getting and the message can basically be ignored.  

However, it appears that ActiveSync is getting the same expiration time that OWA gets and it is causing a huge problem with users who get email on their phones.  Their phones keep sending the password - which is correct - but ActiveSync sees it as expired and after the phone sends the password three times, the user's account gets locked!

I suspect that changing the default password policy will solve this issue as well so if you can confirm that the Never Expires setting overrides the default domain policy I will give that a try.

Thanks for you help!

Mary Pat
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 40539553
If you set flag "Password never expires" in user account properties in AD, definitely it will override whatever set in default domain policy
That's how service accounts are configured in active directory

Since you want to apply FGPP to these user accounts, Note that in FGPP you need to set value of msDS-MaximumPasswordAge attribute to "(Never)" without Quotes.
This will ensure that password will never expires for those user accounts
0
 

Author Comment

by:Mary Pat Conroy
ID: 40540154
Thanks for the confirmation, Mahesh.  I suspected that to be the case but I have never had cause to test it before so I figured it was best to be sure! :)

FYI, I do not have an FGPP set up for the user accounts that don't expire. (I do put them in a separate group just in case I want to do so in the future.)  I only have one FGPP set up for the accounts I do want to apply password policies to and that policy only applies to only one group.  

I will change the default domain policy setting and let you know how I make out!  Thanks again for your help!

Mary Pat
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 40540264
OK
In addition to above, In feature, If you want to apply FGPP for these non-expiring password users in case, make sure to set msDS-MaximumPasswordAge attribute to "(Never)" without Quotes in that FGPP, otherwise FGPP settings will might get overwritten.
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question