5 Replies Latest reply on Mar 23, 2012 8:09 AM by SafeBoot

    Problems after changing GP in AD

      Hi there,

       

      recently I've noticed some problems and can't find any solutions for this.

      We're changing now group policy settings for users accounts in AD. For some reasons we have shorten time for accounts validity. After that some users, who are promtpted to change their domain password, can't log in to the client stations.

      And the worst thing is that HelpDesk Operators, who can recover/reset users account, can't do this! After recovery operations the account is still lock out.

       

      The only thing I can do is remove locked user accounts from SB server and make the new one for the user (with new ID), add to the client station and sunchronize it.

       

       

      1) We're using EEM 5.18

      2) Template for user accounts, has enabled 2 checkbox:

       

      "Password content restrictions":

      Can't be user name    - checked

      Windows content rules - checked

       

      3)OS client stations: Win Xp SP3

       

      Does anybody have any ideas?

       

      BR

        • 1. Re: Problems after changing GP in AD

          are you talking about windows credentials not working, or EEPC crednetials?

           

          If it's the latter, then you MUST be using the EEPC Active Directory connector, which would have reflected any changes you made to the AD policy back to the EEPC users. It's likely you've just disabled all the accounts because you changed their vailidy time.

          • 2. Re: Problems after changing GP in AD

            It's about EEPC credentials. As I have wrote, after User Recovery Options, user account is still lock out- even if I reset the account from the server level to the default.

             

            ADCon is working, I can add new users (adding FNC group to user account in AD).

            • 3. Re: Problems after changing GP in AD

              ok, so did you check in the client log, that your changes to the account in EEM are being reflected, and have you checked in EEM that the account hours, expiry date, and "enabled" status are all still good?

               

              what does "after user recovery options" mean though - I don't understand what you are trying to tell us.

               

              Message was edited by: SafeBoot on 3/22/12 11:45:00 AM EDT
              • 4. Re: Problems after changing GP in AD

                SafeBoot wrote:

                 

                 

                what does "after user recovery options" mean though - I don't understand what you are trying to tell us.


                 

                I mean that when I try to unlock user account in SB (on the client machine: Options->Recovery->User recovery) and get information that Recovery operation ended successfully, user still get information that authentication parameters are incorrect...

                • 5. Re: Problems after changing GP in AD

                  can you tell us exactly what you mean by "unlock the user account" - exactly which of the challenge/response options did you pick?

                   

                  If you indeed picked "unlock account", then that won't help - you need to do a reset password c/r to change a password, OR if the user has invalidated their token through too many incorrect attempts, then you need to create them a new token (by doing a change token c/r).