GPO question
-
I just created our new incoming first year students and was testing one of them out and they cannot change their password. I looked and I do not have any GPO that says they cannot change their password. I don't have a default domain policy enabled either. I have the GPOs set in the groups.
How can I figure out what is not allowing the student to change his password?
-
@WLS-ITGuy said in GPO question:
I just created our new incoming first year students and was testing one of them out and they cannot change their password. I looked and I do not have any GPO that says they cannot change their password. I don't have a default domain policy enabled either. I have the GPOs set in the groups.
How can I figure out what is not allowing the student to change his password?
You can only have one GPO for passwords or your can move to Fine Grained Password Policies
https://blogs.technet.microsoft.com/canitpro/2013/05/29/step-by-step-enabling-and-using-fine-grained-password-policies-in-ad/ -
Let's add to this, all students are BYOD but have access to our Exchange server only.
All domain users who have a PC can change their password through the change password option on a windows machine.
Also, those domain users get prompted to follow the complexity rules.
-
@WLS-ITGuy said in GPO question:
I just created our new incoming first year students and was testing one of them out and they cannot change their password. I looked and I do not have any GPO that says they cannot change their password. I don't have a default domain policy enabled either. I have the GPOs set in the groups.
How can I figure out what is not allowing the student to change his password?
The default policy has a minimum age of 1 day. They cannot change their password for 24 hours after you create the account or reset their password in AD.
-
@JasGot said in GPO question:
@WLS-ITGuy said in GPO question:
I just created our new incoming first year students and was testing one of them out and they cannot change their password. I looked and I do not have any GPO that says they cannot change their password. I don't have a default domain policy enabled either. I have the GPOs set in the groups.
How can I figure out what is not allowing the student to change his password?
The default policy has a minimum age of 1 day. They cannot change their password for 24 hours after you create the account or reset their password in AD.
Default policy (was testing) is actually disabled and no other GPO has password settings.
-
@WLS-ITGuy said in GPO question:
@JasGot said in GPO question:
@WLS-ITGuy said in GPO question:
I just created our new incoming first year students and was testing one of them out and they cannot change their password. I looked and I do not have any GPO that says they cannot change their password. I don't have a default domain policy enabled either. I have the GPOs set in the groups.
How can I figure out what is not allowing the student to change his password?
The default policy has a minimum age of 1 day. They cannot change their password for 24 hours after you create the account or reset their password in AD.
Default policy (was testing) is actually disabled and no other GPO has password settings.
If the machine was joined prior to you changing the min password age, and you only unchecked the min password age box, then the first assignment is still there.
With GPOs you have to over-right settings to change them.Just for grins, can you run "net accounts" from an elevated prompt on that client machine an post the results here.
It should look something like this:
-
@JasGot said in GPO question:
irst assignment is still there.
With GPOs you have to over-right settings to change them.Just as a side note this will not be accurate when using Fine Grained Password Policies.
-
If the machines are BYOD, how are your users trying to change their passwords?
Can they do it on the OWA portal?
They definitely wouldn’t be able to do it via cntrl +alt+del
-
@Dashrender said in GPO question:
If the machines are BYOD, how are your users trying to change their passwords?
Can they do it on the OWA portal?
They definitely wouldn’t be able to do it via cntrl +alt+del
Correct, as they are BYOD, they have to change it in OWA. However, they get the message that they haven't hit the complexity rules. These are new users, never before created, never before logged into a machine on the network.
-
@WLS-ITGuy said in GPO question:
Correct, as they are BYOD, they have to change it in OWA. However, they get the message that they haven't hit the complexity rules. These are new users, never before created, never before logged into a machine on the network.
So they are not on; and are not joining the domain?
-
@JasGot Correct, only BYOD on a separate VLAN/wifi for students.
-
@WLS-ITGuy what version of exchange?
-
@WLS-ITGuy said in GPO question:
@JasGot Correct, only BYOD on a separate VLAN/wifi for students.
If they are not on, and are not joining AD then GPO doesn't apply.
-
@JasGot said in GPO question:
@WLS-ITGuy said in GPO question:
@JasGot Correct, only BYOD on a separate VLAN/wifi for students.
If they are not on, and are not joining AD then GPO doesn't apply.
Oh yeah forgot I was going to say that.
Changing passwords through OWA can be done, though I think it can be a real PITA.
-
From my experience, BYODs make resetting AD passwords for students a time-waster for IT. You should delegate this to non-IT staff like school librarians and teach them how to use a password reset app like Wisesoft's Password Control (with giving them appropriate permissions like only for students OU, of course) or get your software developer to create a web-based password reset kiosk for students and staff with BYODs.
-
@taurex said in GPO question:
From my experience, BYODs make resetting AD passwords for students a time-waster for IT. You should delegate this to non-IT staff like school librarians and teach them how to use a password reset app like Wisesoft's Password Control (with giving them appropriate permissions like only for students OU, of course) or get your software developer to create a web-based password reset kiosk for students and staff with BYODs.
We've learned since the original post, this is not an AD/OU environment. Your point about 3rd party password control is a great option for domain admins though.....
-
It is an AD environment. The students are created in AD on Server 2016 with Exchange 2016. They just use OWA only. They just don't log in to PCs that are part of the domain.
-
@JasGot said in GPO question:
@taurex said in GPO question:
From my experience, BYODs make resetting AD passwords for students a time-waster for IT. You should delegate this to non-IT staff like school librarians and teach them how to use a password reset app like Wisesoft's Password Control (with giving them appropriate permissions like only for students OU, of course) or get your software developer to create a web-based password reset kiosk for students and staff with BYODs.
We've learned since the original post, this is not an AD/OU environment. Your point about 3rd party password control is a great option for domain admins though.....
But those students still have accounts in OP's AD, right? It's only their devices are BYOD.
-
@taurex said in GPO question:
@JasGot said in GPO question:
@taurex said in GPO question:
From my experience, BYODs make resetting AD passwords for students a time-waster for IT. You should delegate this to non-IT staff like school librarians and teach them how to use a password reset app like Wisesoft's Password Control (with giving them appropriate permissions like only for students OU, of course) or get your software developer to create a web-based password reset kiosk for students and staff with BYODs.
We've learned since the original post, this is not an AD/OU environment. Your point about 3rd party password control is a great option for domain admins though.....
But those students still have accounts in OP's AD, right? It's only their devices are BYOD.
Yes. The new student (class of 2023) can log into OWA but cannot change the password. Other students (class of 2020, 2021, 2022) can all change their passwords.
-
@WLS-ITGuy said in GPO question:
@taurex said in GPO question:
@JasGot said in GPO question:
@taurex said in GPO question:
From my experience, BYODs make resetting AD passwords for students a time-waster for IT. You should delegate this to non-IT staff like school librarians and teach them how to use a password reset app like Wisesoft's Password Control (with giving them appropriate permissions like only for students OU, of course) or get your software developer to create a web-based password reset kiosk for students and staff with BYODs.
We've learned since the original post, this is not an AD/OU environment. Your point about 3rd party password control is a great option for domain admins though.....
But those students still have accounts in OP's AD, right? It's only their devices are BYOD.
Yes. The new student (class of 2023) can log into OWA but cannot change the password. Other students (class of 2020, 2021, 2022) can all change their passwords.
Adding to this, all 4 classes are under the same OU
