"User cannot change password" Active Directory

phuschnickensphuschnickens Beverly Hills, Michigan Member
edited April 2009 in Science & Tech
I'm trying to restrict 4 users from changing their passwords. For each user in active directory, i check the "user cannot change password" option within the account properties. This option is sticking for about one day (24 hrs)... then i go to double-check it and they are all unchecked again.... WHAT AM I DOING WRONG? :confused:

Thanks

Comments

  • ThraxThrax 🐌 Austin, TX Icrontian
    edited April 2009
    Do you have a password expiration GPO configured?
  • phuschnickensphuschnickens Beverly Hills, Michigan Member
    edited April 2009
    Thrax wrote:
    Do you have a password expiration GPO configured?

    not sure if i know exactly what you mean... but I do have these users set to "password never expires"
  • QCHQCH Ancient Guru Chicago Area - USA Icrontian
    edited April 2009
    Group Policy Object = GPO....

    Most companies have the GPO set similarly to this...

    attachment.php?attachmentid=26923&stc=1&d=1239241893

    I believe there is a setting to prohibit "Pass does not expire" and it may tie in the fact that the user MUST be able to reset the password. :scratch:
  • phuschnickensphuschnickens Beverly Hills, Michigan Member
    edited April 2009
    0
    not sure what number (off)
    not sure what number (off)
    3
    disabled
    disabled

    That's how I have it set. How's that for security, ha.

    But really, what's this have to do with the "user cannot change password" resetting itself?
  • phuschnickensphuschnickens Beverly Hills, Michigan Member
    edited April 2009
    These are my GPO password policy settings:

    untitled1.bmp


    And this is a link to an experts-exchange thread... Active Directory - "User Cannot Change Password" keeps unchecking itself..

    This is the answer that is listed from that link:
    Where did you place the OU? You can't have any OU's outside of the default MyBusiness\Users\SBSUsers.

    Generally, separate OUs are not the way to delegate additional GPOs on an SBS, instead, create a SECURITY GROUP and add users to that group that you want to modify. Then, delegate that GPO to the Security Group and make sure that the GPO is higher in the list of GPOs than the default Password Policy GPO.

    This is the membership of one of the users affected by the problem:

    untitled2.bmp


    I am going to change this membership to only "domain users" and "users."

    Any suggestions as to what I'm doing wrong?

    thanks
  • NorgeNorge Sidney, Ohio
    edited April 2009
    Perhaps the maximum password age of zero is causing it to reset? If a password can be zero seconds old as a maximum that might cause a problem. For the password to never expire I would think the maximum age would be indefinite. I don't know if that is an option though. It might be worth checking in case it is something that simple.

    Norge
  • QCHQCH Ancient Guru Chicago Area - USA Icrontian
    edited April 2009
    I saw that too... Sometimes "0" on a max is interpreted as "No Max age".
    This security setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If the maximum password age is between 1 and 999 days, the Minimum password age must be less than the maximum password age. If the maximum password age is set to 0, the minimum password age can be any value between 0 and 998 days.
    See MS Doc.
  • phuschnickensphuschnickens Beverly Hills, Michigan Member
    edited April 2009
    Once I changed the user down to only being a member of "Users" and "Domain Users," the problem appears to be solved. Probably has not recurred since. Maybe taking the user out of "Domain Admins" was the magic.

    Unrelated question and probably worthy of a new post:

    Any way to view a user's session on a client computer?
  • QCHQCH Ancient Guru Chicago Area - USA Icrontian
    edited April 2009
    Remote Assistance....
  • phuschnickensphuschnickens Beverly Hills, Michigan Member
    edited April 2009
    QCH2002 wrote:
    Remote Assistance....

    p.s. without permission
  • QCHQCH Ancient Guru Chicago Area - USA Icrontian
    edited April 2009
    VNC...
  • phuschnickensphuschnickens Beverly Hills, Michigan Member
    edited April 2009
    anything built into a windows domain?
  • QCHQCH Ancient Guru Chicago Area - USA Icrontian
    edited April 2009
    Not really.... there are ways to use SMS and some registry hacks to allow remote control without consent.

    The bigger issue... Ethics. As a Domain Admin, I stay far away from these types of issues since we have so much power and many people are very leery of what we can do. Many assume we can do more than we can. I strive to let my users know that I would NEVER stoop to the level where I would eavesdrop on their computing without permission from upper management or some court order.
  • phuschnickensphuschnickens Beverly Hills, Michigan Member
    edited April 2009
    QCH2002 wrote:
    Not really.... there are ways to use SMS and some registry hacks to allow remote control without consent.

    The bigger issue... Ethics. As a Domain Admin, I stay far away from these types of issues since we have so much power and many people are very leery of what we can do. Many assume we can do more than we can. I strive to let my users know that I would NEVER stoop to the level where I would eavesdrop on their computing without permission from upper management or some court order.

    Yeah I've thought of that. And then there's the other end... the "you're getting paid to work here not to come in on sundays just to use our internet access and although you say you're actually working on sundays it's clear that you can't really make sales calls on sundays because most businesses aren't open" side of it. and i also suspect she allows her 13 yo daughter to log on to another client computer to "play." I work in a small company for my father. We monitor emails and have recently implemented software that allows for call logging etc. It might make the company a little big brotherish which i'm not necessarily a fan of, but the paychecks come on time and we let them employees know that it's all just part of the deal.

    I'm actually interested in feedback on this..
  • QCHQCH Ancient Guru Chicago Area - USA Icrontian
    edited April 2009
    Logs are friend... Start adding logs to monitor activity. If you have a Microsoft Shop and run DNS, DHCP, and AD, then you should have enough logs to track down a ton of info with the right filters in place. Logs are good enough to get them fired. ;)
  • phuschnickensphuschnickens Beverly Hills, Michigan Member
    edited April 2009
    k i'll look into it
Sign In or Register to comment.