RE: FW: [Fwd: RE: [ActiveDir] Password policy change]
Yep - I've been through this just of late. If the Change at next logon is set, IIS doesn't have that level of function to allow this to take palce through the current functions. Rick -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: Saturday, August 27, 2005 5:04 PM To: ActiveDir@mail.activedir.org Subject: Re: FW: [Fwd: RE: [ActiveDir] Password policy change] Yes that enables the password change functionality through OWA, but I don't believe that will help this particular situation. When you set the User Must Change Password at Next Logon bit then logon to OWA I don't think OWA will dump you to a password change screen. That Password Change screen is only something you can access once in OWA as far as I know. To address the question about password expiry and OWA users, when you log in with OWA it will tell you that your password is getting close to expiring so it gives you a heads up that you need to change your password soon, whether that is through the IIS Password change tool or some other password change facility. Phil On 8/27/05, joe [EMAIL PROTECTED] wrote: From a shy lurker MVP It appears it is something you can enable. It isn't strictly part of OWA but the old IIS Password change tool. I recall there being issues with that tool and that is why they stopped enabling it by default but can't recall what they were this late at night or this early in the morning whatever it may be. ;o) Thanks for the assist Mom. :) -Original Message- Sent: Saturday, August 27, 2005 2:24 AM To: [EMAIL PROTECTED] Subject: [Fwd: RE: [ActiveDir] Password policy change] http://www.petri.co.il/enable_password_changing_through_owa_in_exchange_2003 .htm Original Message Subject:RE: [ActiveDir] Password policy change Date: Sat, 27 Aug 2005 02:16:14 -0400 From: joe [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Yep, OWA is Outlook Web Access. If you haven't seen it, it is gorgeous in Exchange 2003. It looks almost exactly like Outlook. Unfortunately, if your password is expired (forced or otherwise) you aren't getting into OWA. I also don't believe it has a password change function if you just want to go and change it, but that could be something that could be enabled. Alternatively you set up another web page to do it. As for the OPs original issue. It all comes down to implementation. You told the system to not allow people to change the password if the password age was less than one day and then were confused when it did exactly that. The reason for it is that there is one attribute for password age, pwdLastSet, and it doesn't distinguish between a helpdesk set operation or a normal password change, they are both password changes and you only want one day between every change. The proper way to handle that case is to force the user's to change their password on next logon (which sets the pwdLastSet to 0), but as you know, that will kill OWA users. So you either need another process to follow for OWA only users, install some third party or custom inhouse tool, or drop the minimum password aging. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support Sent: Saturday, August 27, 2005 12:09 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Password policy change Your right Aaron, I didn't know what it meant.! I am not an outlook sort of person (we use Notes...), but the inferred statement surprises me. It suggests that if the must change password is set, you can't logon to Outlook Web Access. This would suggest that forcing users to change password after (say) 28 days is also a no-no. And, it would also suggest that Outlook Web Access won't let you change your password. If it did, it would surely allow you to logon, then require you to change the password before you do anything.. This all seems unlikely, given Microsoft's recommended use of forcing password changes on a regular basis and forcing users to change a password when a new user is created. If it is all true, maybe you have to provide some way that the users can go to a Citrix portal and change their password there, then go back and use Outlook Web Access. Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedirf=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.shtml - Original Message - From: Aaron Visser [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, August 27, 2005 8:59 AM Subject: Re: [ActiveDir] Password policy change
Re: FW: [Fwd: RE: [ActiveDir] Password policy change]
Yes that enables the password change functionality through OWA, but I don't believe that will help this particular situation. When you set the User Must Change Password at Next Logon bit then logon to OWA I don't think OWA will dump you to a password change screen. That Password Change screen is only something you can access once in OWA as far as I know. To address the question about password expiry and OWA users, when you log in with OWA it will tell you that your password is getting close to expiring so it gives you a heads up that you need to change your password soon, whether that is through the IIS Password change tool or some other password change facility. Phil On 8/27/05, joe [EMAIL PROTECTED] wrote: From a shy lurker MVP It appears it is something you can enable. It isn't strictly part of OWA but the old IIS Password change tool. I recall there being issues with that tool and that is why they stopped enabling it by default but can't recall what they were this late at night or this early in the morning whatever it may be. ;o) Thanks for the assist Mom. :) -Original Message- Sent: Saturday, August 27, 2005 2:24 AM To: [EMAIL PROTECTED] Subject: [Fwd: RE: [ActiveDir] Password policy change] http://www.petri.co.il/enable_password_changing_through_owa_in_exchange_2003 .htm Original Message Subject:RE: [ActiveDir] Password policy change Date: Sat, 27 Aug 2005 02:16:14 -0400 From: joe [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Yep, OWA is Outlook Web Access. If you haven't seen it, it is gorgeous in Exchange 2003. It looks almost exactly like Outlook. Unfortunately, if your password is expired (forced or otherwise) you aren't getting into OWA. I also don't believe it has a password change function if you just want to go and change it, but that could be something that could be enabled. Alternatively you set up another web page to do it. As for the OPs original issue. It all comes down to implementation. You told the system to not allow people to change the password if the password age was less than one day and then were confused when it did exactly that. The reason for it is that there is one attribute for password age, pwdLastSet, and it doesn't distinguish between a helpdesk set operation or a normal password change, they are both password changes and you only want one day between every change. The proper way to handle that case is to force the user's to change their password on next logon (which sets the pwdLastSet to 0), but as you know, that will kill OWA users. So you either need another process to follow for OWA only users, install some third party or custom inhouse tool, or drop the minimum password aging. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support Sent: Saturday, August 27, 2005 12:09 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Password policy change Your right Aaron, I didn't know what it meant.! I am not an outlook sort of person (we use Notes...), but the inferred statement surprises me. It suggests that if the must change password is set, you can't logon to Outlook Web Access. This would suggest that forcing users to change password after (say) 28 days is also a no-no. And, it would also suggest that Outlook Web Access won't let you change your password. If it did, it would surely allow you to logon, then require you to change the password before you do anything.. This all seems unlikely, given Microsoft's recommended use of forcing password changes on a regular basis and forcing users to change a password when a new user is created. If it is all true, maybe you have to provide some way that the users can go to a Citrix portal and change their password there, then go back and use Outlook Web Access. Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedirf=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.shtml - Original Message - From: Aaron Visser [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, August 27, 2005 8:59 AM Subject: Re: [ActiveDir] Password policy change Nevermind OWA = Outlook Web Access On 8/26/05 3:39 PM, Figueroa, Johnny [EMAIL PROTECTED] wrote: I mean, if I use the check box to user must change password at next logon our users whose only way into the domain is OWA will not prompt them to change their password... Unless I am missing something. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support Sent: Friday, August 26, 2005 3:19 PM To: