Go Premium for a chance to win a PS4. Enter to Win


Why am I getting a password expiration notice in OWA when the AD password is not due to expire for another 100 days or so?

Posted on 2015-01-07
Medium Priority
Last Modified: 2015-02-23
We recently implemented Fine Grain Password Policies so that we could have different policies for different users. We created two security groups - one for accounts that should have the policy and one for accounts that shouldn't have the policy. Passwords expire in 120 days. I have confirmed that security settings in the default domain policy are not defined.  (They are not defined in any other policy either but it is my understanding that the default domain policy takes precedence over all other policies which is why we needed to use FGPP.)

Approximately half of our users access their e-mail through Outlook Web Access. Some of these users are starting to see a notice in OWA that says their password is going to expire in 1 or 10 or 14 days but their network password is not set to expire for at least another 100 days. Why are they seeing this prompt?

In Exchange (2010) OWA is configured for integrated windows authentication using forms-based authentication with user name only. IIS has only Anonymous Authentication enabled which may be part of the problem but I want to be sure.

Any and all help appreciated!

Mary Pat Conroy
Information Systems Manager
Question by:Mary Pat Conroy
  • 3
  • 2
LVL 38

Accepted Solution

Mahesh earned 2000 total points
ID: 40537743
You are right
FGPP are there to override default domain password policy
However, You have not set any password policy at domain level, this might be the cause you are getting password prompts from owa

Have you verified that FGPPs are configured correctly?
If FGPP settings are enforced on users, you can check with below PowerShell command on 2k8 R2 and above DC from AD PowerShell Module
Get-ADUserResultantPasswordPolicy username | fl


You can try below.
1st ensure that users are part of those groups configured in FGPP
Set default password policy in default domain policy, reboot PDC server to take this effect.
After that check if any user is getting password prompt again from owa

Author Comment

by:Mary Pat Conroy
ID: 40538733
Hi, Mahesh!  Thanks for the reply.

I did verify that the FGPP is configured correctly using the PowerShell command you provided.  I also confirmed that the users are in the correct groups to apply/not apply the FGPP.

I have not, as yet, changed the default domain policy because I have accounts with passwords that should never expire.  Their accounts in AD are set to never expire but I would like to confirm that setting will override any expiration setting in the default domain policy.

Interestingly enough, my OWA account said my password was going to expire yesterday. I ignored it to see what would happen and I had no problem accessing network resources today so clearly the FGPP overrides the setting that OWA is getting and the message can basically be ignored.  

However, it appears that ActiveSync is getting the same expiration time that OWA gets and it is causing a huge problem with users who get email on their phones.  Their phones keep sending the password - which is correct - but ActiveSync sees it as expired and after the phone sends the password three times, the user's account gets locked!

I suspect that changing the default password policy will solve this issue as well so if you can confirm that the Never Expires setting overrides the default domain policy I will give that a try.

Thanks for you help!

Mary Pat
LVL 38

Expert Comment

ID: 40539553
If you set flag "Password never expires" in user account properties in AD, definitely it will override whatever set in default domain policy
That's how service accounts are configured in active directory

Since you want to apply FGPP to these user accounts, Note that in FGPP you need to set value of msDS-MaximumPasswordAge attribute to "(Never)" without Quotes.
This will ensure that password will never expires for those user accounts

Author Comment

by:Mary Pat Conroy
ID: 40540154
Thanks for the confirmation, Mahesh.  I suspected that to be the case but I have never had cause to test it before so I figured it was best to be sure! :)

FYI, I do not have an FGPP set up for the user accounts that don't expire. (I do put them in a separate group just in case I want to do so in the future.)  I only have one FGPP set up for the accounts I do want to apply password policies to and that policy only applies to only one group.  

I will change the default domain policy setting and let you know how I make out!  Thanks again for your help!

Mary Pat
LVL 38

Expert Comment

ID: 40540264
In addition to above, In feature, If you want to apply FGPP for these non-expiring password users in case, make sure to set msDS-MaximumPasswordAge attribute to "(Never)" without Quotes in that FGPP, otherwise FGPP settings will might get overwritten.

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Stellar Exchange Toolkit: this 5 in 1 toolkit comes loaded with mega-software tool. Here’s an introduction to tools’ usage and advantages:
If you have come across a situation where you need to find some EDB mailbox recovery techniques, then here you will find the same. In this article, we will take you through three techniques using which you will be able to perform EDB recovery. You …
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses

877 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question