Quantcast
Channel: Group Policy forum
Viewing all articles
Browse latest Browse all 19997

Why do Exchange applications - OWA, ActiveSync, Outlook - have a different password expiration time than that set by the FGPP?

January 8, 2015, 1:17 pm
$
0
0

We recently implemented Fine Grain Password Policies so that we could have different policies for different users. We created two security groups - one for accounts that should have the policy and one for accounts that shouldn't have the policy. Passwords expire every 120 days. I have verified that the FGPP is configured correctly using the Get-ADUserResultantPasswordPolicyusername in AD PowerShell. I also confirmed that the users are in the correct groups to apply/not apply the FGPP.  We are seeing some strange behavior in Exchange applications since making these changes. 

OWA - Approximately half of our users access their e-mail through Outlook Web Access. Some of these users are starting to see a notice in OWA that says their password is going to expire in 1 or 10 or 14 days but their network password is not set to expire for at least another 100 days. Interestingly enough, my OWA account said my password was going to expire yesterday. I ignored it to see what would happen and I had no problem accessing network resources today so clearly the FGPP overrides the setting that OWA is getting.  The message can basically be ignored but why is OWA getting a different expiration date?

ActiveSync - It appears that ActiveSync is getting the same expiration time that OWA gets and it is causing a much bigger problem for users who get email on their phones.  What I think is happening is that their phones keep sending the password - which is correct - but ActiveSync sees it as expired and doesn't accept it. After the phone sends the password three times, the user's account gets locked.  When this happens, a user cannot access network resources until an administrator unlocks their account.  It also appears to affect the regular outlook client as it starts to prompt for a password even though it is not set to expire for another 100+ days.  It also seems to happen much more frequently than it should.

It has been suggested that OWA & ActiveSync are getting their expiration from the default domain policy.  I do not have any account security settings defined in the default domain policy so I am not sure why there would be any expiration notice.  I could, I suppose, enable the expiration setting in the default domain policy but have not done so because I have accounts with passwords that should never expire.  Their accounts in AD are set to never expire but I am not sure that this setting will override any expiration setting in the default domain policy.

Some additional information...The AD & Exchange 2010 servers are running Windows 2008 R2. Exchange OWA is configured for integrated windows authentication using forms-based authentication with user name only.

Any and all help appreciated!

Mary Pat Conroy
Information Systems Manager

Search
Viewing all articles
Browse latest Browse all 19997
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>