Hello All,
(Windows Server 2012 R2 Domain, Windows2008 Radius, Windows7 Wireless Clients)
(Goal)
- We want to have the ability to create a domain password policy so that our wireless client computers will get prompted to change their passwords when prompted (right now our default domain policy is not setup yet to force password changes) at login but
we ran into some issues when testing password changes.
- Our wireless clients connect through a Microsoft Radius NPS server. We also have a NAC device that acts as a proxy so that computers can register their laptops - the NAC then hands the connection back to the Radius after the registration is complete. If a password is changed then there appears to be an issue authenticating unless we go hardwire, change the password and then connect back to wireless after the password gets cached. For us to get around an issue with wireless clients having authentication issues when the password is changed we needed to create an OU and used the settings from this link as a guideline: https://msdn.microsoft.com/en-us/library/dd759176.aspx
- So we created the OU and enabled and linked the OU and here is a summary of what is going on:
(Testing Password Change/Rebooting Laptop)
- If we set the account in AD to prompt user to "change the password at next login" after a reboot we do not see the "wireless OU" splashed at the login screen. When logging in the previous password is cached and the user is not
prompted to change the password.
(Logging Off and Logging On)
- However if we logoff (after the logging on at reboot) we then do see the Wireless OU and then we do get prompted to enter the old password and enter a new password. So it appears that when the computer is shutdown or rebooted, during the reboot and
the login process the wireless GPO policy is not processed but when you logoff and logon the wireless GPO policy is processed.
Sorry for the long post. Hope this making sense to someone.
Thanks for the time,
Bob