Password update doesn't take - asks for renewal

[Guest]

Archived from groups: microsoft.public.windowsnt.domain (More info?)

I have a few users in 500 in an NT domain that have a peculiar problem. The password policy requires a change every 90 days.

When they get the message that their password is about to expire, they update it and the update appears to be successful.
But when they log in the next day, they get the same message with the counter decremented by one day. So it's as if they never updated it.
Sometimes this will happen every day until the original password expires, sometimes the second update takes. If it continues until the original password expires, then usually they can update it and they're good to go. If neither method works, then I have to manually set their password which makes them good for another 90 days.

What would keep their update from taking effect? One user has a second PC on a different domain (no trust set up) and he maps to shares on the first domain. He likes to keep the passwords the same on both domains (username is the same) because that way his mapping doesn't ask for any password as it seems to accept the other domains authentication even though there's no trust.

Would his mapping to domain1 shares on domain2 PC prevent him from updating his password on domain 1? What else could do this?

 

[Guest]

Archived from groups: microsoft.public.windowsnt.domain (More info?)

Hi Jonathan,

To answer both of your questions. <g>
Looks like a domain synchronization issue.
The client must contact the PDC of the domain
in order to make a change because the PDC holds
the only modifiable copy of the SAM database.
The PDC then replicates the changes out to the
BDCs. I would open server manager and highlight
the PDC then synchronize the entire domain. Next
check the system log of the event viewer on all DCs
to verify the synch was successful. You must have
auditing enabled for security policy changes failure/
success.

Duplicate accounts in NT 4.0 will allow access to
the domain controllers but not workstations or
member servers. Workstations or member servers
will look at the domain field being presented, if
there is not trust they will not pass the credentials
on to the DC for authentication.

"JonathanL" <JonathanL@discussions.microsoft.com> wrote in message
> I have a few users in 500 in an NT domain that have a peculiar
problem. The password policy requires a change every 90 days.
>
> When they get the message that their password is about to expire, they
update it and the update appears to be successful.
> But when they log in the next day, they get the same message with the
counter decremented by one day. So it's as if they never updated it.
> Sometimes this will happen every day until the original password
expires, sometimes the second update takes. If it continues until the
original password expires, then usually they can update it and they're
good to go. If neither method works, then I have to manually set their
password which makes them good for another 90 days.
>
> What would keep their update from taking effect? One user has a second
PC on a different domain (no trust set up) and he maps to shares on the
first domain. He likes to keep the passwords the same on both domains
(username is the same) because that way his mapping doesn't ask for any
password as it seems to accept the other domains authentication even
though there's no trust.
>
> Would his mapping to domain1 shares on domain2 PC prevent him from
updating his password on domain 1? What else could do this?

 

[Guest]

Archived from groups: microsoft.public.windowsnt.domain (More info?)

I'm already aware of all that you wrote about synchronization and that the PDC must be contacted to make any changes. I've already examined this and synchronization is taking place with no problems.
This problem is only happening with a few users out of 400. The rest update their passwords with no problem. If synchronization was the cause of thier pw update failure, then it would happen for everyone.

As for the other multi-domain issue, one thing I forgot to mention is that domain #2 is a W2K domain while #1 is an NT4 domain.
I ask about it because I've seen this before between these two domains. The account names are the same (at least to humans they are though the sids are totally different). If the passwords are the same, then when mapping to a share on domain #1 from a PC on domain #2, a password isn't asked for, but if the passwords are not the same, then when logged into domain #2 on a PC and mapping to shares on domain #1, the user is asked for a pw.

"Michael Giorgio - MS MVP" wrote:

> Hi Jonathan,
>
> To answer both of your questions. <g>
> Looks like a domain synchronization issue.
> The client must contact the PDC of the domain
> in order to make a change because the PDC holds
> the only modifiable copy of the SAM database.
> The PDC then replicates the changes out to the
> BDCs. I would open server manager and highlight
> the PDC then synchronize the entire domain. Next
> check the system log of the event viewer on all DCs
> to verify the synch was successful. You must have
> auditing enabled for security policy changes failure/
> success.
>
> Duplicate accounts in NT 4.0 will allow access to
> the domain controllers but not workstations or
> member servers. Workstations or member servers
> will look at the domain field being presented, if
> there is not trust they will not pass the credentials
> on to the DC for authentication.
>
> "JonathanL" <JonathanL@discussions.microsoft.com> wrote in message
> > I have a few users in 500 in an NT domain that have a peculiar
> problem. The password policy requires a change every 90 days.
> >
> > When they get the message that their password is about to expire, they
> update it and the update appears to be successful.
> > But when they log in the next day, they get the same message with the
> counter decremented by one day. So it's as if they never updated it.
> > Sometimes this will happen every day until the original password
> expires, sometimes the second update takes. If it continues until the
> original password expires, then usually they can update it and they're
> good to go. If neither method works, then I have to manually set their
> password which makes them good for another 90 days.
> >
> > What would keep their update from taking effect? One user has a second
> PC on a different domain (no trust set up) and he maps to shares on the
> first domain. He likes to keep the passwords the same on both domains
> (username is the same) because that way his mapping doesn't ask for any
> password as it seems to accept the other domains authentication even
> though there's no trust.
> >
> > Would his mapping to domain1 shares on domain2 PC prevent him from
> updating his password on domain 1? What else could do this?
>
>
>

 

[Guest]

Archived from groups: microsoft.public.windowsnt.domain (More info?)

Hi Jonathan,


"JonathanL" <JonathanL@discussions.microsoft.com> wrote in message news:
> I'm already aware of all that you wrote about synchronization and that
the PDC must be contacted to make any changes. I've already examined
this and synchronization is taking place with no problems.

Okay

> This problem is only happening with a few users out of 400. The rest
update their passwords with no problem. If synchronization was the cause
of thier pw update failure, then it would happen for everyone.

Not exactly.. <g> Not *everyone* will use the same DC for
authentication. It's possible the few users are using a specific
DC. But if synchronization is okay like you say then you can
move on. In NT 4.0 all changes are made on the PDC then
replicated out to the BDCs so the client must be able to contact
the PDC in order to change his or her password. Perhaps the
clients are unable to contact the PDC. Are the problem clients
members of the W2k3 or NT 4.0 domain?

>
> As for the other multi-domain issue, one thing I forgot to mention is
that domain #2 is a W2K domain while #1 is an NT4 domain.
> I ask about it because I've seen this before between these two
domains. The account names are the same (at least to humans they are
though the sids are totally different). If the passwords are the same,
then when mapping to a share on domain #1 from a PC on domain #2, a
password isn't asked for, but if the passwords are not the same, then
when logged into domain #2 on a PC and mapping to shares on domain #1,
the user is asked for a pw.

You can get away with using duplicate user accounts and passwords
in NT.