GPO question
-
@taurex said in GPO question:
@JasGot said in GPO question:
@taurex said in GPO question:
From my experience, BYODs make resetting AD passwords for students a time-waster for IT. You should delegate this to non-IT staff like school librarians and teach them how to use a password reset app like Wisesoft's Password Control (with giving them appropriate permissions like only for students OU, of course) or get your software developer to create a web-based password reset kiosk for students and staff with BYODs.
We've learned since the original post, this is not an AD/OU environment. Your point about 3rd party password control is a great option for domain admins though.....
But those students still have accounts in OP's AD, right? It's only their devices are BYOD.
Yes. The new student (class of 2023) can log into OWA but cannot change the password. Other students (class of 2020, 2021, 2022) can all change their passwords.
-
@WLS-ITGuy said in GPO question:
@taurex said in GPO question:
@JasGot said in GPO question:
@taurex said in GPO question:
From my experience, BYODs make resetting AD passwords for students a time-waster for IT. You should delegate this to non-IT staff like school librarians and teach them how to use a password reset app like Wisesoft's Password Control (with giving them appropriate permissions like only for students OU, of course) or get your software developer to create a web-based password reset kiosk for students and staff with BYODs.
We've learned since the original post, this is not an AD/OU environment. Your point about 3rd party password control is a great option for domain admins though.....
But those students still have accounts in OP's AD, right? It's only their devices are BYOD.
Yes. The new student (class of 2023) can log into OWA but cannot change the password. Other students (class of 2020, 2021, 2022) can all change their passwords.
Adding to this, all 4 classes are under the same OU
-
When your students first logs in, are they prompted to set their regional date and time?
-
@JasGot said in GPO question:
net accounts
Can you run "net accounts /domain" from any workstation or server connected to the same domain as the Exchange server. show the results here.
-
@JasGot said in GPO question:
When your students first logs in, are they prompted to set their regional date and time?
Yes.
-
Is your native module exppw.dll correctly registered?
-
@JasGot said in GPO question:
Is your native module exppw.dll correctly registered?
Iโll get the results youโre asking for and this answer as well tomorrow.
-
@JasGot said in GPO question:
net accounts /domain
Which is interesting to know but I guess helps me figure out why they can't change their passwords.
-
This post is deleted! -
@WLS-ITGuy said in GPO question:
@JasGot said in GPO question:
net accounts /domain
Which is interesting to know but I guess helps me figure out why they can't change their passwords.
Assuming you don't have grandular password policies enabled - I don't get how anyone could change their passwords in less than 30 days.
-
@Dashrender said in GPO question:
@WLS-ITGuy said in GPO question:
@JasGot said in GPO question:
net accounts /domain
Which is interesting to know but I guess helps me figure out why they can't change their passwords.
Assuming you don't have grandular password policies enabled - I don't get how anyone could change their passwords in less than 30 days.
Which is the interesting part as I have a screenshot that has my minimum password age at 7 days but that also might be before I upgraded to 2016 server. Who knows, they days blend together now as I get older.
-
Show us a picture of your Group Policy Management console, for the root, and the OU where the servers reside.
-
@WLS-ITGuy said in GPO question:
@JasGot said in GPO question:
net accounts /domain
Which is interesting to know but I guess helps me figure out why they can't change their passwords.
And there you have it! Your GPO is preventing the exchange server from allowing the password to be changed any more often than 30 days. Come back in a month and it'll work.
So, I would leave the complexity in place, and set the Min Age to zero days. (All in the GPO on the DC)
Also, since my clients always put off changing their password until they can't..... I would implement this on your CAS/OWA server so they can change their passwords even after it has expired.On the Client Access Server (CAS), click Start > Run and type regedit.exe and click OK.
Navigate to HKLM\SYSTEM\CurrentControlSet\Services\MSExchange OWA.
Right click the MSExchange OWA key and click New > DWord (32-bit).
The DWORD value name is ChangeExpiredPasswordEnabled and set the value to 1.Note: The values accepted are 1 (or any non-zero value) for "Enabled" or 0 or blank / not present for "Disabled"
After you configure this DWORD value, you must reset IIS. The recommended method to reset IIS is to use IISReset /noforce from a command prompt.
Ref: http://blogs.technet.com/b/exchange/archive/2010/10/06/3411240.aspx
-
@JasGot said in GPO question:
@WLS-ITGuy said in GPO question:
@JasGot said in GPO question:
net accounts /domain
I went through and made sure no other GPOs have password settings. I have changed the default domain policy minimum age to 1 day
Saved, linked, enforced. Run GPUpdate /force and Checked on the DC:
Run GPUpdate /force and Checked on Domain joined PC:
Am I missing something?
-
@WLS-ITGuy Never change the default domain policy. Like ever. It is simply asking for headaches later.
Make a new policy and apply it.
That aside, you changed a policy and it is not reflected. You have to have some other policy applying a setting.
-
Well, Son of a Bitch!
GPO Status was set to disabled.
-
Thanks everyone for the assistance! I forgot that I had disabled the damn thing in the beginning of all this even though I told @dbeato that in a PM.
-
@WLS-ITGuy said in GPO question:
Thanks everyone for the assistance! I forgot that I had disabled the damn thing in the beginning of all this even though I told @dbeato that in a PM.
I wonder what was setting it to 30 days then? Perhaps someone in the past set it to 30, then the GPO was disabled, and the setting just stuck until it was changed again and enabled.