Since InfusionPoints began using Microsoft Online Services (MOS) Business Productivity Online Suite (BPOS), we have noticed that navigating the required password changes can be a bit tricky. Once a password had been changed, we would have a variety of problems, from the mobile device not accepting the new password, to the Outlook client prompting for the password or refusing to connect to Exchange. After some investigation, we found that others were also having this problem.
After some diagnosis and research, we found that the problem stems from an account lockout policy. From Microsoft Online Services Help and How-to page on User Passwords:
Microsoft Online Services uses an account lockout policy to help protect the accounts of service administrators and end users. The user can try to sign in to the Administration Center or the Sign In application five times. After five failed attempts with an invalid user name or an incorrect password, users are locked out for 15 minutes.
Microsoft names the policy being relevant to the Administration Center and Sign In application. However, if the lockout policy is implemented in the directory, then it would be enforced regardless of the origin of the login attempt. What we believe was happening is that users would change their password, and before the new password could be configured everywhere it might be used, (including Communicator, Outlook, Mobile Devices, IMAP, POP, etc.) some combination of those applications and devices would already have made 5 connection attempts with the old (now incorrect) password and lock the account for up to 15 minutes. This would lead to further confusion, as the user might assume the password change did not take effect for some reason. They would then try the old password instead which now also does not work due to the lockout condition.
If this was indeed the cause of the problem, then we could infer that to avoid this issue, the new password would need to be configured everywhere it is used immediately after being changed to avoid the lockout. This led us to create the following procedure for our users which has – in fact – resulted in far fewer issues during password changes in MOS.
We founded InfusionPoints to be our clients' first choice for an independent trusted partner to build secure systems that protect their employee's, partner's and customer's data