Discussion:
Stop mapped drives from locking AD accounts lock when passwords are changed?
(too old to reply)
User Name
2008-10-09 22:10:01 UTC
Permalink
Users have drives mapped to another domain and whenever their password
expires, they change that domain password and forget to change the
password on their mapped drive connection.

Their account gets locked out, and it's a huge hassle for everyone.

There is no way that they will all be able to remember to disconnect
their network drives before changing their domain password, so is
there anything that can be done to automate this or even just prompt
the user?

For instance, if your e-mail has an old password, it doesn't
immediately lock your account. It stops checking for mail and prompts
you to type in the correct password instead of repeatedly sending the
bad password and locking your account.

Is there something like this that can be made available for mapped
drives?
Meinolf Weber
2008-10-09 22:18:19 UTC
Permalink
Hello User,

Do you have a trust between the domains?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Post by User Name
Users have drives mapped to another domain and whenever their password
expires, they change that domain password and forget to change the
password on their mapped drive connection.
Their account gets locked out, and it's a huge hassle for everyone.
There is no way that they will all be able to remember to disconnect
their network drives before changing their domain password, so is
there anything that can be done to automate this or even just prompt
the user?
For instance, if your e-mail has an old password, it doesn't
immediately lock your account. It stops checking for mail and prompts
you to type in the correct password instead of repeatedly sending the
bad password and locking your account.
Is there something like this that can be made available for mapped
drives?
User Name
2008-10-09 22:40:05 UTC
Permalink
Post by Meinolf Weber
Hello User,
Do you have a trust between the domains?
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm
Post by User Name
Users have drives mapped to another domain and whenever their password
expires, they change that domain password and forget to change the
password on their mapped drive connection.
Their account gets locked out, and it's a huge hassle for everyone.
There is no way that they will all be able to remember to disconnect
their network drives before changing their domain password, so is
there anything that can be done to automate this or even just prompt
the user?
For instance, if your e-mail has an old password, it doesn't
immediately lock your account.  It stops checking for mail and prompts
you to type in the correct password instead of repeatedly sending the
bad password and locking your account.
Is there something like this that can be made available for mapped
drives?- Hide quoted text -
- Show quoted text -
There are some one-way trusts for a select few users who access a
limited set of resources with their own domain accounts, but they have
chosen to have seperate domain accounts for accessing most resources
on the other domain. There are no plans to expand the trusts for
security reasons and also for company politics.
When their password expires, they change it via a web page since they
cannot change the passwords via the Windows built-in gui.
Phillip Windell
2008-10-10 13:27:02 UTC
Permalink
Post by User Name
There are some one-way trusts for a select few users who access a
limited set of resources with their own domain accounts,
Trusts are not between users or tied to users. Trusts are between Domains
(not users) and if it is there,...then it is there.

What you should be looking at is getting rid of the Mapped Drives. Except
for rare exceptions due to old Applications there is no need for them any
more. Use UNC Shortcuts to the resources. A Shortcut with an intuitive name
is much more usefull then a meaningless single letter with a colon after it.
The Trust that you say exists should be utilized so that the users access
the resources by their own accounts in their own domain (that is what the
Trust does). They should not be using accounts on the other domain. The way
it is now the Trust is doing nothing, you aren't using it, so just start
using it.

Other than that, the Stored User Names and Passwords the other guys
mentioned is probably what you are stuck with.
--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
User Name
2008-10-10 21:04:32 UTC
Permalink
Post by User Name
There are some one-way trusts for a select few users who access a
limited set of resources with their own domain accounts,
Trusts are not between users or tied to users.  Trusts are between Domains
(not users) and if it is there,...then it is there.
Phillip Windellwww.wandtv.com
The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Technically, that may be true, but practically, it is set up for just
a few select users because those users are the only ones with accounts
that were given access to anything using the trust.
Everyone else logs in using the other domains accounts.

We will look into the stored user passwords and maybe some use of
shortcuts instead of mapped drives.
User Name
2008-10-10 21:18:25 UTC
Permalink
Post by Phillip Windell
The Trust that you say exists should be utilized so that the users access
the resources by their own accounts in their own domain (that is what the
Trust does). They should not be using accounts on the other domain.  The way
it is now the Trust is doing nothing, you aren't using it, so just start
using it.
-----------------------------------------------------
That would be ideal, but their are corporate politics and powerplays
by upper managenet of the two companies preventing widespread use of
the trusts anytime in the near future.
Some top execs and a very few IT personnel can use the trust to access
resources on the other domain. Everyone else will need to use their
other domain's accounts for the forseeable future.
Phillip Windell
2008-10-13 14:08:11 UTC
Permalink
Whoever "possesses" the needed resource needs to grant permissions to the
correct Accounts. It is just that simple. If they won't then they aren't
doing their jobs.

Once a Trust is set up *Everybody* uses it. There is no such thing as some
people using the Trust while some people do not. There can be people who
have their accounts granted permissions to resources,...and some do
not,...but that is a matter how NTFS Permissions and Share Permissions are
"granted",...it is not a matter of using a Trust or not using a Trust. The
Trust is tied to the Domains,...not to Users.

The politics and powerplays are not the problem here. The problem is people
in IT not doing their jobs by granting permissions to domain accounts
cleanly and accuartely like they should be. There is no benefit to
mirroring accounts "workgroup style" pertaining to security or politics,..it
is just nonsense and superstition.

You can forward my post to them. They can't fire me.
--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Post by Phillip Windell
The Trust that you say exists should be utilized so that the users access
the resources by their own accounts in their own domain (that is what the
Trust does). They should not be using accounts on the other domain. The
way
it is now the Trust is doing nothing, you aren't using it, so just start
using it.
-----------------------------------------------------
That would be ideal, but their are corporate politics and powerplays
by upper managenet of the two companies preventing widespread use of
the trusts anytime in the near future.
Some top execs and a very few IT personnel can use the trust to access
resources on the other domain. Everyone else will need to use their
other domain's accounts for the forseeable future.
Marcin
2008-10-09 22:48:17 UTC
Permalink
Assuming that you are mapping drives using different set of credentials
(which the symptoms you described seem to indicate), you can use Stored User
Names and Passwords. You can find more details regarding this at
http://support.microsoft.com/kb/306992

hth
Marcin
Post by User Name
Users have drives mapped to another domain and whenever their password
expires, they change that domain password and forget to change the
password on their mapped drive connection.
Their account gets locked out, and it's a huge hassle for everyone.
There is no way that they will all be able to remember to disconnect
their network drives before changing their domain password, so is
there anything that can be done to automate this or even just prompt
the user?
For instance, if your e-mail has an old password, it doesn't
immediately lock your account. It stops checking for mail and prompts
you to type in the correct password instead of repeatedly sending the
bad password and locking your account.
Is there something like this that can be made available for mapped
drives?
Paul Bergson [MVP-DS]
2008-10-10 12:18:14 UTC
Permalink
The convoluted way things are setup is just begging for hassles, of which
you are undergoing. Stored user passwords is what is setup to get around
your issue. I hate this option, but it is available.

http://support.microsoft.com/kb/281660
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
Post by User Name
Users have drives mapped to another domain and whenever their password
expires, they change that domain password and forget to change the
password on their mapped drive connection.
Their account gets locked out, and it's a huge hassle for everyone.
There is no way that they will all be able to remember to disconnect
their network drives before changing their domain password, so is
there anything that can be done to automate this or even just prompt
the user?
For instance, if your e-mail has an old password, it doesn't
immediately lock your account. It stops checking for mail and prompts
you to type in the correct password instead of repeatedly sending the
bad password and locking your account.
Is there something like this that can be made available for mapped
drives?
User Name
2008-10-17 23:47:48 UTC
Permalink
On Oct 10, 5:18 am, "Paul Bergson [MVP-DS]"
Post by Paul Bergson [MVP-DS]
The convoluted way things are setup is just begging for hassles, of which
you are undergoing.  Stored user passwords is what is setup to get around
your issue.  I hate this option, but it is available.
http://support.microsoft.com/kb/281660
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
I set up stored passwords and tested it on a workstation. It seems
easier than having to type the password into every mapped drive, but
it did not solve the issue of accounts locking when the domain
password is changed.
I tested saving an incorrect password into the stored password
application and when I tried to access a domain resource, the account
instantly became locked instead of displaying a prompt for different
credentials. This doesn't seem to solve the original problem.

Loading...