Answer the question
In order to leave comments, you need to log in
Password and certificate priority - which is higher?
A certificate authority is deployed in the domain (all on Windows2008), some users log in using an eToken, some use a password.
The domain also has a password policy that forces users to change their password after a certain amount of time.
This policy also applies to users with eTokens. The password is valid for 30 days, the user certificate is valid for one year. Once every 30 days, after entering the PIN code, eToken users are shown a sign “password must be changed” and the system forces the user to change the domain password.
This raises the question - is it possible to make the token a priority password without canceling the password change policy? So that the user can log in using a token and an expired password, access network resources, etc.?
Or is this not possible in principle, and you will have to use the "Password newer expired" property in user profiles?
Thank you for your attention.
Answer the question
In order to leave comments, you need to log in
Caution, a wild crutch: before the delay, automatically reset the domain password of users from eToken to a random one that is not stored anywhere.
serverfault.com/questions/207115/how-do-i-bulk-reset-passwords-for-all-users-in-an-ou
If a user needs to urgently log in with a domain password, he will have to reset it again to a known one.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question