Hi,
I have been having some trouble with users often getting locked out after changing their passwords.
It would seem that having "Password history check n-2" enabled in the domain should prevent this from happening
when attempting to log on using their previous password, and it does; but only in some cases..
1. A user can try to log on from the "windows logon screen" an unlimited amount of times using
his previous password, without badpwdcount incrementing (good!).
2. In other cases, a mobile device (active sync), application, etc. will increment badpwdcount and lock the account when using the previous password/saved credentials (bad!).
As en example, running this powershell script in our domain, will increment badpwdcount and get the user locked out using a previous password:
Function Test-Credentials {
param(
[parameter(mandatory=$true)]$UserName,
[parameter(mandatory=$true)]$Password
)
Add-Type -AssemblyName System.DirectoryServices.AccountManagement
$Domain = $env:USERDOMAIN
$ct = [System.DirectoryServices.AccountManagement.ContextType]::domain
$pc = New-Object System.DirectoryServices.AccountManagement.PrincipalContext $ct,$Domain
$result = $pc.ValidateCredentials($UserName,$Password)
}
Test-Credentials -UserName "TestAccount1" -Password "PreviousPassword"
Is there any more detailed information about the password history check function and how it works?
What would be the Microsoft way of handling this?