Probably the only other way to manage that would be to change the GINA (write a custom GINA) which is usually not manageable. In this case, I would have guessed that the lengthy leave of absence cases would be manageable or at least acceptable.
To recap what you have: 1) you've disabled the native notification 2) you send a message to the user letting them know their password is about to expire in x days 3) you have a central password management tool product 4) exceptions such as lengthy absence are directed the helpdesk for further action It also seems that the user *could* change their password natively and then have to change it at the central password tool. That would be to grant them access to the other non-AD controlled systems. That password change would then flow back to AD, so they would have to log out and back in with the new credentials but have the downside of changing the password twice. Outside of a different architecture for that type of solution (integration with a single, most commonly used directory for example) or rewriting the GINA on the desktops (what a PITA to manage), I would say process is the only thing left to use that might help to better manage. Playing the odds, you would want to have a long password expiration time with strong passwords and enough retry attempts to keep that number to a manageable/acceptable level of helpdesk calls. You may also want to consider allowing the changes to process and policy to get the desired result. My $0.04 anyway. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Olegario, Alan Sent: Tuesday, March 22, 2005 10:35 AM To: [email protected] Subject: RE: [ActiveDir] Password Expiration Prompt We're running a similar product and are looking at what options are available to us. An email script is good, but hypothetically, a user could come back from vacation or from maternity leave, not check their email and still get the pop up box to change their password when they come back. In our testing we found that you set the password to never expire, but actually expire the account, they will get a prompt that their account has expired when they try to log in, but need to contact their SA for assistance, or something to that effect. At that point, there is an escape sequence that the user can do to get to the password management system, answer some challenge questions, and then change their password. This will also unexpire their account. Or they would contact our help desk for instructions. We're still using a script to email notifications to the user, but actually using the same script to expire the account instead of the native GINA. I know it sounds like a hassle, and probably a whole bunch of calls to the help desk, but that appears to be the only way we can get them to use a single point for their password management. If anyone can think of a better way to do this, definitely let me know. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, March 22, 2005 10:11 AM To: [email protected] Subject: RE: [ActiveDir] Password Expiration Prompt I've used this in that situation. You can change it from the three days on there to whatever you like and since it uses subtree search, you can use either a specific OU or the entire domain directory if you want. It is per domain. The script will email a notification with a link to the web page vs. doing a popup (so email is important right?) You would also have to turn off the notification in the domain to prevent the confusion. I use this script for users in a different forest than the one their workstation is in. http://www.houseofqueues.com/CodeSamples/PassCheck.txt -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, March 22, 2005 9:30 AM To: [email protected] Subject: [ActiveDir] Password Expiration Prompt In our environment we use a product called Passport to synchronize password changes across multiple accounts. Our users are aware of this product and the procedures required for making a password change, however, the Default Domain GPO specifies that the user will be notified to change their password 5 days before expiration. When a user logs in and sees this message they become confused and frustrated because they think this change will apply to all accounts and passwords, which it does not. Is there a script or setting I can change that will notify the user it is time for a password change and take them directly to the Passport website to change their password? Thanks, Chris List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ The information contained in this email message may be privileged, confidential, and protected from disclosure. Any unauthorized use, printing, copying, disclosure, dissemination of or reliance upon this communication by persons other than the intended recipient may be subject to legal restriction or sanction. If you think that you have received this E-mail message in error, please reply to the sender and delete this email promptly. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
