Hello,

Using Microsoft Windows Active Directory Domain Services, Facing issue while configuring FGPP for TIERED Accounts,

No "Change Password Notification" and

No "Message to Change Password as password has expired"

when Securing TEIR Accounts Using Authentication Policies - Silos

So here's the scenario - there are 2 issues

1. Account/Creds are made secure using PAW which is a part of AuthN Policy/Silo & also Protected Users Grp

2. Only allowing logon for accounts which are part of this silo

3. Once user is logged on this Workstation,

4. User is authorized to logon using Privileged Accounts to other servers like DC's

5. However here is the issue when the password for these privileged accounts is about to expire

6. (ISSUE 1)Users are not shown the notification to change the password 

7. it is observed when the logon fails in the event viewer it shows, it is due to AuthN Policy-Silo which is blocking the use NTLM completely, appearing as if system tried to use NTLM which could have made it possible to show error message related to Password being expired 

8. (ISSUE 2) it never shows any indication towards expired password,

instead the message is as if some restriction due to AuthN silo-Policy is causing the issue..

Is this a known behavior when using AuthN Policy-Silo ??

How to Fix these issues ?

BR,
/HS