Require Password Change for Users With Laptops Not Joined to Domai

I have been advised to change my password policy for my company. This is
pretty straight forward for the users that access the network through a
computer that is joined to the domain. When they logon after I have enable
the new policy, they will get a popup message requiring them to change their
password.

What I have not been able to figure out is how to implement this for users
who have computers that are not joined to the domain. They logon to a local
profile, then they are required to insert their username and password when
they access a network share, typically form a mapped drive. But they do not
recieve a change password popup, they just get an access denied type of
error.

Any help would be greatly appreciated.

 

Hello proteus71,

The users will have to logon to a computer that is connected to the domain
to change their password. You can setup a terminal server where they can
remotely login to change their password...Is there any reason why their
computers a not joined to the domain?

--
Isaac Oben [MCTIP:EA, MCSE]
"proteus71" <proteus71@discussions.microsoft.com> wrote in message
news:4745E417-61A9-459E-8F7B-7CBF974BBEEF@microsoft.com...
>I have been advised to change my password policy for my company. This is
> pretty straight forward for the users that access the network through a
> computer that is joined to the domain. When they logon after I have
> enable
> the new policy, they will get a popup message requiring them to change
> their
> password.
>
> What I have not been able to figure out is how to implement this for users
> who have computers that are not joined to the domain. They logon to a
> local
> profile, then they are required to insert their username and password when
> they access a network share, typically form a mapped drive. But they do
> not
> recieve a change password popup, they just get an access denied type of
> error.
>
> Any help would be greatly appreciated.
>

 

Re: Require Password Change for Users With Laptops Not Joined to D

Hi Isaac,

Thanks for the timely reply. I work in a post-graduate school which
requires all students to have their own laptops. Since the school does not
own the laptops, we don't have them join the domain. We have public computer
labs available that are joined, which the sudents could use to change their
passwords, but this could become a problem since they would have to do this
every 90 days. I have read about being able to allow making the password
change through OWA, but it reuqires having a certificate on the Exchange
server (which we do not have). I was hoping there was an easier way than the
public labs option, but I might be out of luck.

Thanks Again

"Isaac Oben [MCITP,MCSE]" wrote:

> Hello proteus71,
>
> The users will have to logon to a computer that is connected to the domain
> to change their password. You can setup a terminal server where they can
> remotely login to change their password...Is there any reason why their
> computers a not joined to the domain?
>
> --
> Isaac Oben [MCTIP:EA, MCSE]
> "proteus71" <proteus71@discussions.microsoft.com> wrote in message
> news:4745E417-61A9-459E-8F7B-7CBF974BBEEF@microsoft.com...
> >I have been advised to change my password policy for my company. This is
> > pretty straight forward for the users that access the network through a
> > computer that is joined to the domain. When they logon after I have
> > enable
> > the new policy, they will get a popup message requiring them to change
> > their
> > password.
> >
> > What I have not been able to figure out is how to implement this for users
> > who have computers that are not joined to the domain. They logon to a
> > local
> > profile, then they are required to insert their username and password when
> > they access a network share, typically form a mapped drive. But they do
> > not
> > recieve a change password popup, they just get an access denied type of
> > error.
> >
> > Any help would be greatly appreciated.
> >
>
>

 

"proteus71" <proteus71@discussions.microsoft.com> wrote in message
news:4745E417-61A9-459E-8F7B-7CBF974BBEEF@microsoft.com...
>I have been advised to change my password policy for my company. This is
> pretty straight forward for the users that access the network through a
> computer that is joined to the domain. When they logon after I have
> enable
> the new policy, they will get a popup message requiring them to change
> their
> password.
>
> What I have not been able to figure out is how to implement this for users
> who have computers that are not joined to the domain. They logon to a
> local
> profile, then they are required to insert their username and password when
> they access a network share, typically form a mapped drive. But they do
> not
> recieve a change password popup, they just get an access denied type of
> error.
>
> Any help would be greatly appreciated.
>

Since the laptops are not joined to the domain, you will have to change the
password in two locations each time:
a) On the domain controller;
b) On each laptop.

It is possible to do this with a script at logon time, e.g. like so:
1. Check the password age.
2. If it is beyond the set expiry date, prompt the owner for a new password.
3. If he declines, tell him that he will be locked out three days from now.
4. If he enters a new password, change it on the domain.
5. If the change is accepted, change the password locally.

I see two issues with this approach:
a) It is fairly complex and requires quite a bit of scripting.
b) The domain password will diverge from the local password
for a number of reasons, requiring manual intervention.

In other words, you'll be creating a fair bit of extra work for yourself and
your user's won't exactly like you for the hassle you cause them.

 

Re: Require Password Change for Users With Laptops Not Joined toDomai

On 04/17/09 11:43, proteus71 wrote:
> Any help would be greatly appreciated.

What if we change the puzzle just a little bit.

Namely what would happen if you expired the accounts of roaming users
thus requiring them to contact the help desk to have their account
re-enabled. Naturally when the accounts are re-enabled they would have
a temporary password set as well as the option that requires users to
change their password.

Though as I type this I'm not sure that this will translate through to
their systems that are ""sidling up and slipping in to the network with
matched user names and passwords. But it's still food for thought.



Grant. . . .

 

Hello proteus71,

You can not force a password change over network shares. So choose the option
from Isaac with the Terminal server for password change or the users have
to go to your helpdesk and change it there.

With this article you can provide them an email early, so they have the time
to plan the change, when they are in the school.
http://blogs.dirteam.com/blogs/jorg...e-mail-their-password-is-going-to-expire.aspx

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> I have been advised to change my password policy for my company. This
> is pretty straight forward for the users that access the network
> through a computer that is joined to the domain. When they logon
> after I have enable the new policy, they will get a popup message
> requiring them to change their password.
>
> What I have not been able to figure out is how to implement this for
> users who have computers that are not joined to the domain. They
> logon to a local profile, then they are required to insert their
> username and password when they access a network share, typically form
> a mapped drive. But they do not recieve a change password popup, they
> just get an access denied type of error.
>
> Any help would be greatly appreciated.
>