topic Re: Enabling AD password expiration warning/change and SupportOldSchema impact in an MDS enviornment in Firewall and Security Management

Enabling AD password expiration warning/change and SupportOldSchema impact in an MDS enviornment

jennyado — Wed, 15 Oct 2025 01:53:42 GMT

Hello community,

I am reviewing the configuration to allow Active Directory users to receive a warning and change their password from the Check Point VPN Client before their password expires, according to SKs sk33404 and sk89841.

I have an MDS environment, and I want to apply this configuration within a domain where I have 3 LDAP Account Units, but I intend to enable this functionality only on one of them so that VPN users can change their password through the client.

According to the documentation, the steps include:

Enable in Global Properties → User Directory the option
“Enable Password change when a user's Active Directory password expires”
(some articles indicate this is also required to allow password change before expiration).
Ensure the LDAP Account Unit is using the Microsoft_AD profile with:
- SSL enabled (TCP 636)
- Write data to this server enabled
- DN with sufficient permissions to modify passwords
If the AD does not have the Check Point LDAP schema extended, configure in GuiDBedit:

Tables > Managed Objects > LDAP > Microsoft_AD > Common SupportOldSchema = 1
(Optional, according to SK33404) In the LDAP Account Unit object where the change will be applied:
- IsPasswordWarning = True
- PasswordWarningTime = <number of days>
- UseNativePwdParams = True
💡 My questions:
1. SupportOldSchema interpretation:
  - If the AD does not have the extended schema → SupportOldSchema = 1
  - If the AD does have the extended schema → SupportOldSchema = 0
    Is this correct?
2. Impact on other LDAP Account Units in the same domain:
  - Does enabling “Enable Password change when a user's AD password expires” on one LDAP Account Unit affect the other two LDAP Account Units?
  - Could changing SupportOldSchema on this LDAP Account Unit impact authentication or user queries for the other LDAP Account Units using the Microsoft_AD profile?
3. Scope of warning parameters:
  - If I apply IsPasswordWarning, PasswordWarningTime, and UseNativePwdParams only to this LDAP Account Unit, does this affect any of the other LDAP Account Units that are not modified?
  - Will the other LDAP Account Units continue authenticating normally without any additional changes?
4. Impact on VPN and active sessions:
  - Could enabling these changes on this LDAP Account Unit interrupt or log out active VPN users authenticating against this AD?
  - In other words, is it safe to enable these options in a production MDS environment without affecting existing sessions on other LDAP Account Units?
Any confirmation or practical experience with this configuration would be greatly appreciated — especially in MDS environments with multiple LDAP Account Units and VPN users authenticating simultaneously.
Thanks in advance 🙌

Re: Enabling AD password expiration warning/change and SupportOldSchema impact in an MDS enviornment

the_rock — Wed, 15 Oct 2025 04:00:20 GMT

Oldschema parameter option, you got that right. Does not affect other ldap account units if changed on one and no, ALREADY logged users would stay logged in.

Best,

Andy

Re: Enabling AD password expiration warning/change and SupportOldSchema impact in an MDS enviornment

the_rock — Wed, 15 Oct 2025 15:42:42 GMT

@jennyado

I dont sadly have lab access atm as Im in Africa, but what I mentioned is my previous experience.

Best,

Andy

Re: Enabling AD password expiration warning/change and SupportOldSchema impact in an MDS enviornment

jennyado — Wed, 15 Oct 2025 15:59:00 GMT

Thanks a lot for the reply — really appreciate you taking the time to share your experience, especially while abroad! 🌍
Your confirmation about the impact on other LDAP Account Units and active VPN users was super helpful.

Just to clarify one last thing:
When setting the SupportOldSchema value in

Tables > Managed Objects > LDAP > Microsoft_AD > Common

it looks like this parameter applies to the Microsoft_AD profile itself, not to each individual LDAP Account Unit.

If that’s correct, then all LDAP Account Units that use this same profile would inherit that value, right?
I’m currently checking with the AD team whether their directory is using the extended Check Point schema or not, so I just want to confirm if changing this parameter would affect all LDAP Account Units in the domain that use the Microsoft_AD profile.

Would you confirm if this behavior is global per profile, and if creating a duplicate profile (for example, “Microsoft_AD_NoSchema”) would be the proper way to isolate it if needed?

Thanks again for your help and time!

Re: Enabling AD password expiration warning/change and SupportOldSchema impact in an MDS enviornment

the_rock — Wed, 15 Oct 2025 16:03:26 GMT

Its no issue, raining here like crazy, so nothing better to do haha. Im sure that setting would indeed affect all account units. I do know one customer who added no schema value and it worked for them, but this was while ago, might be worth confirming with TAC.

Best,

Andy

Re: Enabling AD password expiration warning/change and SupportOldSchema impact in an MDS enviornment

jennyado — Wed, 15 Oct 2025 23:43:14 GMT

Thanks a lot for your help and for taking the time to reply — really appreciate it!
I’ve already opened a TAC case to confirm how that behavior works in the latest versions, just to be fully sure before applying any change.

Enjoy the rest of your vacation (hopefully the rain lets up soon)! 🌧️😄
Thanks again for the support!

Re: Enabling AD password expiration warning/change and SupportOldSchema impact in an MDS enviornment

the_rock — Wed, 15 Oct 2025 23:51:05 GMT

Thank you! Yes, rain stopped, but its 1 am here, time to sleep lol

Cheers,

Andy

Re: Enabling AD password expiration warning/change and SupportOldSchema impact in an MDS enviornment

jennyado — Fri, 17 Oct 2025 20:55:22 GMT

Based on the guidence recevied from TAC, these are my comments:

SupportOldSchema Parameter

This parameter is defined at the Microsoft_AD profile level:
Tables → Managed Objects → LDAP → Microsoft_AD → Common
Any change to this value affects all LDAP Account Units using this profile.
Recommendation: create a duplicate profile (e.g., Microsoft_AD_PwdChange) and assign it only to the LDAP Account Unit where the password expiration functionality is needed.

Global Option: “Enable Password change when a user's AD password expires”

This setting enables password-change workflows across all LDAP Account Units globally.
Only properly configured LDAP Account Units (correct profile, SSL enabled, write permissions, schema handling) will actually use the feature.
Other LDAP Account Units continue operating normally.

Re: Enabling AD password expiration warning/change and SupportOldSchema impact in an MDS enviornment

the_rock — Fri, 17 Oct 2025 21:00:14 GMT

Excellent!

topic Re: Enabling AD password expiration warning/change and SupportOldSchema impact in an MDS enviornment in Firewall and Security Management

Enabling AD password expiration warning/change and SupportOldSchema impact in an MDS enviornment

💡 My questions:

Re: Enabling AD password expiration warning/change and SupportOldSchema impact in an MDS enviornment

Re: Enabling AD password expiration warning/change and SupportOldSchema impact in an MDS enviornment

Re: Enabling AD password expiration warning/change and SupportOldSchema impact in an MDS enviornment

Re: Enabling AD password expiration warning/change and SupportOldSchema impact in an MDS enviornment

Re: Enabling AD password expiration warning/change and SupportOldSchema impact in an MDS enviornment

Re: Enabling AD password expiration warning/change and SupportOldSchema impact in an MDS enviornment

Re: Enabling AD password expiration warning/change and SupportOldSchema impact in an MDS enviornment

Re: Enabling AD password expiration warning/change and SupportOldSchema impact in an MDS enviornment