Active Directory: User must change password at next logon prevents users from logging in
The only time I've seen something like this was when we deployed a NAC agent that only allowed certain ports unless the user had logged in. Basically, network services had allowed the ports to log in but were blocking the ports needed to change passwords.
If you're using some kind of similar product, or are otherwise in a similar situation, you'll need to make sure that port 464 is open in addition to the LDAP ports (389 and 636). There's a full list of AD ports here: http://technet.microsoft.com/en-us/library/dd772723%28v=ws.10%29.aspx
Related videos on Youtube
ProfessionalAmateur
Updated on September 18, 2022Comments
-
ProfessionalAmateur over 1 year
When I reset user passwords in
Active Directory
onWindows Server 2008
orWindows Server 2012
and check the optionUser must change password at next logon
it prevents users from being able to login.However when I do not check this option and reset their password and unlock their account the users can login successfully. This obviously present a bit of a security issue.
I'm not versed enough in AD to know why this is occurring, has anyone seen this before?
-
ProfessionalAmateur almost 11 years@EdFries - If a user locks their account, they'll call IT for us to unlock them, reset their password, etc... But when I do this and check the option to force them to change it, they are still essentially locked out and cannot login. Same occurs for new users. Ill see if I can get a screenshot when Im back in the office.
-
ProfessionalAmateur almost 11 years@FalconMomot - Im not sure what a credential provider is? Im a programmer that helps out the helpdesk people if passwords need to be reset and no one is here, so Im missing a lot of basic AD knowledge. I just know that this feature being broken doesn't make any sense and it can't be a bug in AD.
-
Falcon Momot almost 11 yearsThat is exactly why I asked. Credential providers are the successor to GINA plugins; they modify the login screen in some way. I also wonder what else is in your environment - is something that authenticates against AD repeatedly trying an expired password instead of asking the users to change it?
-
Ed Fries almost 11 yearsDifferent actions & boxes: unlock account & user must change pswd at next logon. Checking "User must change password..." means you must still reset the pswd, give to user, they will be able to logon and THEN they will be forced to change it immediately. Is that not what is happening?
-
ProfessionalAmateur almost 11 years@EdFries - Correct that is what I am doing. Resetting their password to "SimplePassword", unlock account, and check box for them to change it immediately upon next successful loging.
-
ProfessionalAmateur almost 11 years@FalconMomot - I will have to check. Our login screens seem stock, we do host our MS Exchange service, so maybe this is it? Still trying hunt down a screenshot of the error.
-
-
Falcon Momot over 10 yearsForced password changes override this policy. If I recall, the implementation sets passwordLastChanged to -1 to force the change.
-
ProfessionalAmateur over 10 yearsJacob - This setting will only affect RDP though correct? What about users who are trying to VPN in or simply login to their desktop?
-
Jacob over 10 yearsCorrect, this would only be for users using remote desktop to the server (sorry).
-
ProfessionalAmateur over 10 yearsThanks, I just wanted to make sure I understood the answer provided, I do not know enough about AD so it might have been part of the problem we have.