password expiration notifications 1

[insureme]

my problem I'm guessing is related to domain policy but I'm not positive and I wouldn't know where to look to fix it. we are running a windows 2000 domain, however the only servers that are windows 2000 are the PDC and BDC. we are also running nearly all users on a thin client environment using citrix 4.5. we just finished the 4.5 migration about four months ago and we've noticed since the migration users are not getting notifications at logon about their password expiration which in turn leaves them with an expired password, and they never knew it was coming. I'd be interested in any ideas as to why this might happen and how to fix it.

Thanks

 

[TechyMcSe2k]

You can force this notification in your Default Domain Policy under CompConfig/Windows Settings/Security Settings/Local Policies/Security Options/Interactive Logon: Prompt User to change password before expiration

AD should do it by default, but since you migrated, it may need to be forced.


_______________________________________
I hope any help I give leads to great successes.
MCSE, MCSA, MCTS, CCA, VCP, CCNA

 

[insureme]

after a quick review of my GPOs the setting is set correctly and further more a resultant set of group policy on the citrix servers states that it's active, and the correct policy is listed as the winning GPO.

 

[TechyMcSe2k]

Sorry, thought this was an AD/Server question. this is a Citrix question.

check this out for Citrix 4.5 and AD Password notifications:

http://www.msterminalservices.org/articles/Citrix-Web-Interface.html

_______________________________________
I hope any help I give leads to great successes.
MCSE, MCSA, MCTS, CCA, VCP, CCNA

 

[insureme]

that article only applies to the access-gateway and web interface login method. these people are going right in. sorry wasn't sure if this was a citrix or server 2000 question.

 

[TechyMcSe2k]

Thin clients are configured to log right in to Citrix? What credentials are used? Do they input these when they log in via the thin client or is there a generic account they use and then authenticate to the apps? I believe the Thin Clients log in through a web interface unless it is using the published app client.


_______________________________________
I hope any help I give leads to great successes.
MCSE, MCSA, MCTS, CCA, VCP, CCNA

 

[insureme]

the Thins login using the domain accounts. the thin client accesses the published desktop, which in turn gives the windows 2003 logon page and then logs in based on the users domain credentials. Like I said though before we migrated from citrix 4.0 to 4.5 they did get the password expiration notice.

 

[TechyMcSe2k]

On the 2003 server they are logging in to, check the Local Security Settings for the items i spoke of above. They should be getting prompts on the 2003 server about their passwords. With the expired passwords, do they ever get to the 2003 desktop?


_______________________________________
I hope any help I give leads to great successes.
MCSE, MCSA, MCTS, CCA, VCP, CCNA

 

[TechyMcSe2k]

Go in to Access Management Console. Find the Web Interface website link, right click on it and choose Configure /Authentication Methods, Explicit-Properties. Under Password Settings, make your changes there for notifications.


_______________________________________
I hope any help I give leads to great successes.
MCSE, MCSA, MCTS, CCA, VCP, CCNA

 

[insureme]

no, the users with expired passwords get a typical wrong login/password message, and never get to the desktop as far as I can tell. the prompts are not coming. I checked the local security policy and it's configuration on all four servers matches the domain policy and is also locked out so i can't change it anyway. I'm assuming since it's a server recieving a domain policy. I tried the suggestion of the web interface and the web interface is not even configured on my managment console.

 

[insureme]

Bump for good luck?

 

[TechyMcSe2k]

You will need to create your Web Interface site for the options I instructed above.

Are you just publishing applications? No one accesses this farm through IE/Firefox/Mozilla?

Are all clients using the XenAPP 11.x client?

If you are publishing and RDP to a server, then that server should be prompting them and should have nothing to do with Citrix. But if you are running the new version of the Micrsofts RDP client which makes you enter your credential before it will start the session; they may never get far enough for the remote desktop to inform them of their expired credentials.


_______________________________________
I hope any help I give leads to great successes.
MCSE, MCSA, MCTS, CCA, VCP, CCNA

 

[insureme]

some people do access it through IE, or firefox but only remotely. all users, unless accessing from home use thin clients to connect to the farm. we are using xenapp to publish the xendesktop for all users to access. this has only been an issue since we changed from version 4.0 to version 4.5 of citrix.

 

[TechyMcSe2k]

If they are accessing through IE, then you must have the Web Interface configured. Are you using Secure Gateways too?


_______________________________________
I hope any help I give leads to great successes.
MCSE, MCSA, MCTS, CCA, VCP, CCNA

 

[insureme]

no we are not using secure gateways, however i didn't set this thing up so i'm not positive on anything. i know that from outside we use a citrix access gateway and then a published desktop. from inside we use thin clients connecting through tcp/ip to a server. As an aside, my laptop which has nothing to do with citrix has also not notified me that i need to change my password, and it too says it's running the correct domain policy. and the rsop states that it should have.

 

[TechyMcSe2k]

So on the data collector/Web interface server for your farm...locate the Access Management Console...perform a Discovery...then down on the left side you should see Citrix Resources/Configuration Tools/Web Interface...then follow above instructions


_______________________________________
I hope any help I give leads to great successes.
MCSE, MCSA, MCTS, CCA, VCP, CCNA

 

[insureme]

I solved my own problem. the print out I had was old. when I looked closer someone set the policy to max age of 0. Thanks for the assistance though.

 

[Davetoo]

When you looked closer? You were checking your GPO's from a print out?

You came here asking for help, people spent their time helping you, you never awarded any starts to anyone for their help...and it turns out you failed to do the basic thing of checking for yourself before having all these fine people help you?

What a colossal waste of time that was for everyone.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

There are no more PDC's! There are DC's with FSMO roles!

 

[insureme]

Lesson well learned Dave, And an apology to everyone who wasted their time on this problem too.