password reset problems

calex71

Need a workaround for this one guys, resetting passwords from ad for laptop users is causing me an issue in that, i reset the password user waits and logs on with the new password.

Gets prompt to change the password , this is where the problem occurs.
Upon entering and confirming the new passowrd an error pops up to say user name or old password is incorrect , i think this occurs due to it checking AD at the initiall login screen and then once it asks to create a new passowrd it checks a local profile. This would not be an issue if the users could remember the old password but unfortunately this is usually why it need resetting.

I know replication time plays a part in this but its not workable to expect someone to wait a few hours to log in , also this would work if the user logs on to anotehr pc to change the password but again not always a possable.

any suggestions

matt-dublin

in theory, you shouldn't reset a users password when they are offline,

why do you need to reset the passwords? can you not set them to change the password on next logon?

DannyBuoy

There's a very useful addin from MS, its acctinfo.dll. It adds another tab into the users properties in AD users and computers called Additional Account Info, it allows you to see the remaining time for a pwd and also the facility to change it on the site DC and so negate the replication time. I agree with Matt, very dodgy changing while they're offline. I presume they're doing all this while they're connected to AD...

calex71

matt-dublin wrote:

in theory, you shouldn't reset a users password when they are offline,

why do you need to reset the passwords? can you not set them to change the password on next logon?

The laptops are not offline in that they are acually connected to the lan
and we need to take ad out of the equation as it is not used to change the password

matt-dublin

`you said you reset the users password?

if the user is connected to the lan, and want to change their passsword they must have connectivity with AD

to do this you ahould not have to do anything, they should just press ctrl - alt - del and click change password.

you should not have to reset anything unless they're lost their password.
in which case you would reset the password within ad and they would log on using it, it you require them to change the password you check the change password on logon box. then they will be prompted with a change password box upon login, which their old password would be the password you just gave them, not their actual password

calex71

true , however its reset via a 3rd party (long story but like i said keep ad out of the equation) tool that is linked to ad as they have forgotten the password.

matt-dublin

why do you want to keep ad out of the equation?

the password is authenticated via ad, the third party app is obviously where the issue happens.

have you tried doing this via ad?
i think it would be your best option

calex71

same result if done via ad directly

matt-dublin

very strange, is the laptop in a remote site or anything?

calex71

nope litrally in the next office 5 meters away

matt-dublin

thats really strange,

is it with one specific machine/user?

Static M.e.

Gets prompt to change the password , this is where the problem occurs.
Upon entering and confirming the new passowrd an error pops up to say user name or old password is incorrect

.. I saw this very thing happen two days ago. It turns out that the user was trying to use a password that had already been used. Ie Password History was ineffect.

Also

The user was also confused on where to enter the password reset details.

User couldn't log in.
I reset the password for them (password)
The user would enter the new password and get asked to change the password.

John.Doe
password

New box opens up with.

Name: John.Doe
Old Password:Popeye
New Password:********
Confirm Password:********

Here the user was placing the origional Password (before I had changed it) in the Old Password box so when they now entered the new password and confirmed they would recieve the error

"User name or old password is incorrect"

Static M.e.

Another thing, if you and the user are both logging into the same DC the replication doesnt come into effect.

I wouldn't even count the same building

matt-dublin

yeah thats somewhat like what i mentioned above as well.

hshortt

Password resets are instant in AD. There is no delay in logging on with the new password.

What policies are in place? Is the user prevented from changing the password - Password Age (configuration item).

Run Resultant set of policies on the client and determine by analysis if a policy is causing an issue.

Cheerio
Howard

_CreeD_

hshortt wrote:

Password resets are instant in AD. There is no delay in logging on with the new password.
Howard

If you reset a user's password on a DC at another site (ie. you have not specifically chosen a DC at their within your ADUC MMC) then the change will only become active on their DC when replication occurs - the exception to this rule though is if you reset it when connected to the PDC Emulator or if the emulator has since replicated with the DC on which you made the change. The user's login DC will check it's own records and if the password fails will then check with the PDC Emulator before refusing a login, if neither have the latest change to the account yet the login will fail with the new password.

OP, Matt-Dublin is correct I think. 3rd party or not the users are being prompted as if the "User Must Change Password At Next Logon" option is set, whether by default on your DC(s) or by the 3rd party App. The old password is the one YOU reset it to and not THEIR old one, the New and Confirm passwords are ones they must now create.

hshortt

_CreeD_ wrote:

If you reset a user's password on a DC at another site (ie. you have not specifically chosen a DC at their within your ADUC MMC) then the change will only become active on their DC when replication occurs - the exception to this rule though is if you reset it when connected to the PDC Emulator or if the emulator has since replicated with the DC on which you made the change. The user's login DC will check it's own records and if the password fails will then check with the PDC Emulator before refusing a login, if neither have the latest change to the account yet the login will fail with the new password.

Password replication occurs immediately and outside the realms of standard or urgent replications.

See here - http://www.microsoft.com/technet/abouttn/flash/tips/tips_060805.mspx

cheerio
Howard

_CreeD_

So it's still reverting to the PDC Emulator, I didn't know it was instantly updated though, cheers.