Every time we have to change our passwords via active directory we have issues with various applications and devices having the old password and locking the users out of their accounts. I, myself, have to change my password on 4 devices before I get locked out, including my home PC which isn't very convenient to get to while I'm at work. Our IT group says there is no other way to go about this but I can't imagine larger groups go through this.
What do you do?
are all the devices networked together on the same domain? It is hard to tell without knowing how your network is setup. When we have password changes, it changes it for all devices, but that is because anything on our network is linked to your domain and is part of the network. So it really all depends on how the entire network was setup.
Some of these devices are apple and android devices which are not on our domain, can they be placed on it? Some are laptops which I know are not on our domain.
As you probably know, the account lockouts are caused by the old password being retried by applications that poll periodically. Most of the time, it is email.
Individually, each device you have probably doesn't poll often enough to trigger the lockout. However with more than one device polling, the frequency is enough to trigger the lockout.
We use webmail, so we don't have any mail client app on PCs to generate failed logins.
Your mail server probably has a webmail interface. You might try switching to that at home. With no client application to poll the mail server, no login failures.
IT might consider adjusting the number of failure attempts and fail counter expiration.
Webmail generally doesn't work very well with mobile devices however. It seems to me that mobile devices may not poll as often though, allowing the fail counter to expire and avoiding the account lockout.
those devices, i am pretty sure are using some type of remote access to connect to another system that should be on your domain. The laptops should be on the domain if they are windows based. Now, are you saying you have to change the passwords to the apple/android devices, or the remote connection?
and my apologies, i just noticed your main concern was applications with previously saved passwords... this is the issue. We do not allow saved passwords because of this reason. So really the only options the IT has is to unlock it when they have a password change, or do not allow password changes, or do not allow saved passwords. There is really not much else you can do, that I know of.
unfortunately not all of our devices are windows. Our docs believe that apple devices are far superior because "they can't get viruses." Perhaps we will have to implement a similar policy. Is there a way we can keep the passwords from saving to the windows credential manager for our windows users? However that still doesn't solve our phone problem. What is the lockout policy at your practice? we are set to 10. We have another user who insists on using office365 to access his email. Can he be on the domain if he is on vacation?
I can understand that. Yes. their are policies that can be added to active directory and the remote desktop to prevent the saving of passwords. Again, it all depends on how the IT has setup the network. Also, for people that are away from the office, yes, VPN is key here...