w2k12 密码已过期但没有提示更改

Question 1

如果会话中的密码已过期，则需要用户使用新的凭证重新登录才能获得有效的令牌。

如果他们使用 CTRL-ALT-DEL->更改密码选项来更改密码，那么他们也需要重新登录。

我曾经为我的 RDS 场做过的最好的建议是强制更改用户密码登录到 TS。

我如何做到的；

我每天午夜运行一项计划任务，当用户接近到期日时强制 Active Directory 中的用户到期。

喜欢;

# This PowerShell Script will query Active Directory and return the user accounts with passwords 
# set to expire before the end of the next day, export a list of the affected accounts, and require
# a password change at the next logon.  The script is configured to ingore accounts which have been
# configured with passwords that never expire, and to ignore accounts who do not have permission to
# change their own password.  Any other account would be affected, so be warned before running this
# script, as you could experience unintended consequences.  Either modify the script to reduce the
# scope of user accounts, or ensure that accounts that shouldn't be affected are either flaged with
# a non-expiring password or are flagged with "cannot change password.  When ready to run/schedule 
# in production, remove the -WhatIf from the last line.
#
# - MWT, 10/11/13

# The 89 is based upon your environment. If passwords expire every X (90) days, and you run the script
# in the early morning, you can set it to -1*(X-1) (-89), if you run the script late at night, set it to
# -1*(X-2) (-88).

Import-Module ActiveDirectory # Required for PowerShell 2.0 only

$a = (Get-Date).Date.AddDays(-88)

# The following line will build the variable based upon the noted criteria
$b = Get-ADUser -SearchBase "OU=Contonso,DC=com" -Property Name,SamAccountName,PasswordLastSet,CannotChangePassword,PasswordNeverExpires -Filter {(PasswordLastSet -lt $a) -and (PasswordNeverExpires -eq $false) -and (Enabled -eq $true)} | Where-Object {$_.CannotChangePassword -eq $false}

# The following line will display/export the data logging the accounts to be changed; please note the
# Out-File path and change to suit your needs.
$b | Format-Table Name,PasswordLastSet,CannotChangePassword,PasswordNeverExpires -AutoSize

# The following line will actually flag the accounts to require a password change (after -WhatIf is removed)
  $b | ForEach-Object {Set-ADUser -Identity $_ -ChangePasswordAtLogon $true}

如果您的用户仅登录终端服务器，您可以将密码过期警告从 14 天更改为 1 天。我粘贴的脚本会在 -2 天时（从 90 天过期）使帐户过期，因此用户永远不会看到过期警告，因此永远不会在 TS 会话中收到更改密码的提醒。

注意，如果不确定，您可以在最后一行使用 -WhatIf 测试脚本，它将显示用户帐户，它将重置帐户而不会使其过期。

Answer

如果会话中的密码已过期，则需要用户使用新的凭证重新登录才能获得有效的令牌。

如果他们使用 CTRL-ALT-DEL->更改密码选项来更改密码，那么他们也需要重新登录。

我曾经为我的 RDS 场做过的最好的建议是强制更改用户密码登录到 TS。

我如何做到的；

我每天午夜运行一项计划任务，当用户接近到期日时强制 Active Directory 中的用户到期。

喜欢;

# This PowerShell Script will query Active Directory and return the user accounts with passwords 
# set to expire before the end of the next day, export a list of the affected accounts, and require
# a password change at the next logon.  The script is configured to ingore accounts which have been
# configured with passwords that never expire, and to ignore accounts who do not have permission to
# change their own password.  Any other account would be affected, so be warned before running this
# script, as you could experience unintended consequences.  Either modify the script to reduce the
# scope of user accounts, or ensure that accounts that shouldn't be affected are either flaged with
# a non-expiring password or are flagged with "cannot change password.  When ready to run/schedule 
# in production, remove the -WhatIf from the last line.
#
# - MWT, 10/11/13

# The 89 is based upon your environment. If passwords expire every X (90) days, and you run the script
# in the early morning, you can set it to -1*(X-1) (-89), if you run the script late at night, set it to
# -1*(X-2) (-88).

Import-Module ActiveDirectory # Required for PowerShell 2.0 only

$a = (Get-Date).Date.AddDays(-88)

# The following line will build the variable based upon the noted criteria
$b = Get-ADUser -SearchBase "OU=Contonso,DC=com" -Property Name,SamAccountName,PasswordLastSet,CannotChangePassword,PasswordNeverExpires -Filter {(PasswordLastSet -lt $a) -and (PasswordNeverExpires -eq $false) -and (Enabled -eq $true)} | Where-Object {$_.CannotChangePassword -eq $false}

# The following line will display/export the data logging the accounts to be changed; please note the
# Out-File path and change to suit your needs.
$b | Format-Table Name,PasswordLastSet,CannotChangePassword,PasswordNeverExpires -AutoSize

# The following line will actually flag the accounts to require a password change (after -WhatIf is removed)
  $b | ForEach-Object {Set-ADUser -Identity $_ -ChangePasswordAtLogon $true}

如果您的用户仅登录终端服务器，您可以将密码过期警告从 14 天更改为 1 天。我粘贴的脚本会在 -2 天时（从 90 天过期）使帐户过期，因此用户永远不会看到过期警告，因此永远不会在 TS 会话中收到更改密码的提醒。

注意，如果不确定，您可以在最后一行使用 -WhatIf 测试脚本，它将显示用户帐户，它将重置帐户而不会使其过期。

Question 2

临时解决方案是在 Active Directory 域服务中为用户更改密码。

除上述内容外，还请应用以下链接中引用的政策。

www.sevenforums.com/tutorials/74548-password-expiration-warning-change-time.html

Answer

临时解决方案是在 Active Directory 域服务中为用户更改密码。

除上述内容外，还请应用以下链接中引用的政策。

www.sevenforums.com/tutorials/74548-password-expiration-warning-change-time.html

Question 3

据我所知，您不能。如果密码已过期，他们就无法通过 RDS 服务器更改密码。

其他一些选项包括：

通过 OWA 更改
让服务台进行更改
配置自助密码系统

自从终端服务以来，这一直是一个基于会话的 RDS 问题。

当我们运行 RDS 时，我实施了一个密码通知应用程序，该应用程序在密码到期前 7 天每天发送电子邮件两次，在密码到期前 2 天每天发送电子邮件 4 次。如果用户到那时还没有更改密码并记录帮助台工单，则会在会议中提及此事（点名批评哈哈）。

Answer

据我所知，您不能。如果密码已过期，他们就无法通过 RDS 服务器更改密码。

其他一些选项包括：

通过 OWA 更改
让服务台进行更改
配置自助密码系统

自从终端服务以来，这一直是一个基于会话的 RDS 问题。

当我们运行 RDS 时，我实施了一个密码通知应用程序，该应用程序在密码到期前 7 天每天发送电子邮件两次，在密码到期前 2 天每天发送电子邮件 4 次。如果用户到那时还没有更改密码并记录帮助台工单，则会在会议中提及此事（点名批评哈哈）。

w2k12 密码已过期但没有提示更改

答案1

答案2

答案3

相关内容