Password management can be a bit of a pain when using Exchange Online and\or Skype for Business Online. When an end-user changes their password, sometime credential manager does not update the offline credentials with the new password. Credential Manager will continue to provide Outlook and Skype for Business your old password, resulting in your Active Directory account being locked.

Background

OAuth is a great feature within Office 365. For our customers that have deployed OAuth within their organization, we have seen support calls for account lockouts decrease dramatically.

However, we have customers that cannot use OAuth for Exchange because their security team requires web-based applications be blocked from non-corporate networks. Information on the limitations of OAuth and web-based apps can be found here:

http://social.technet.microsoft.com/wiki/contents/articles/30253.office-2013-and-office-365-proplus-modern-authentication-and-client-access-filtering-policies-things-to-know-before-onboarding.aspx

In these cases, Outlook 2010\2013\2016 and Skype for Business are still using active authentication. As many of you know, active authentication can, and will cause password lockout issues because of problems with credential manager. A description of this issue can be found from the article below:

https://blogs.technet.microsoft.com/abizerh/2015/06/01/possible-causes-of-authentications-failures-for-federated-users-in-office-365/

Solution

To mitigate this problem, we have created a script that will clear out the cred-manager settings when users change their passwords. The challenge with this script is that it does not monitor when the password has been changed. Our recommendation and what we have seen work for our customers is to run the script as a scheduled task that executes several times in the morning, after lunch, and mid-afternoon. From what we have noticed, those are common times when users change their password.

We have also had customers deploy the script as an executable and educate their end-users to run the script immediately after they change their password.

The cred-manage script performs the following actions:

1. Creates a directory under C:\ called Password
2. Checks to see if a text file from today already exists in C:\Password. The script checks for a text file to validate if the script has already cleared cred manager that day
3. Validates if the password has been changed today
4. Creates a txt file under C:\Password with the current date
5. Prompts users that their password has changed and if they want to close Outlook and Skype for Business
6. Removes the creds from credential manager

 Results

If the user has changed their password:

If they select No:

Script

# $UPN = <a href="mailto:user1@domain.com">user1@domain.com</a>$upn = whoami /upn

# Removes the @ and leaves user1 and domain
$upn1 = $upn.Split("@")

#captures user1
$upn2 = $upn1[0]

# gets user information from the logon DC
$user1 = net user /domain $upn2

# captures the password reset information
$user2 = $user1[10]

# Splits the information by space
$user3 = $user2.Split()

# captures the date of the password reset
$user4 = $user3[14]

# captures the current date in 1/1/2015 format
$date = get-date -Format d

#This if statement determines if the folder path of C:\password has already been created
$Folder = Test-Path C:\password

If ($folder -eq $false) {
  new-item c:\Password -ItemType directory
}

$today = (get-date).Date

$NewItem = Get-ChildItem C:\password | where { $_.CreationTime.Date -eq $today } | Out-String

#Validates if an item is created in the C:\password folder for today. 
#If not it checks to see if the user password was reset today
If ($newitem -eq "") {

  If ($date –eq $user4) {

    $OUTPUT = [System.Windows.Forms.MessageBox]::Show(
      "You have changed your password, to complete the password change we must restart "'
      + "Outlook and LYNC.",
      "Status",
      4)

    $output

    if ($OUTPUT -eq "YES" ) {
      $Outlook = "LegacyGeneric:target=MS.Outlook:" + $UPN
      $outlook1 = “LegacyGeneric:target=MicrosoftOffice15_Data:SSPI:” + $UPN
      Cmdkey /delete:$outlook
      Cmdkey /delete:$outlook1
      $FileDate = ($date).Replace("/","-")
      $Path = "C:\password\" + $filedate + ".txt"
      new-item -Path $Path -ItemType File
      $outlook= get-process outlook
      $Lync= Get-process Lync
      #kill outlook and Lync
      $outlook | stop-process
      $lync | stop-process
      #starts process
      Start-Process -Filepath "C:\Program Files (x86)\Microsoft Office\Office15\lync.exe"
      Start-process -Filepath "C:\Program files (x86)\Microsoft Office\Office14\outlook.exe"
    }
    else {
      [System.Windows.Forms.MessageBox]::Show(
        "You will be asked to close Outlook again within an hour")
    }
  }
}