This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
jennyado
Collaborator
‎2025-10-14 06:53 PM
Jump to solution

Enabling AD password expiration warning/change and SupportOldSchema impact in an MDS enviornment

Hello community,

I am reviewing the configuration to allow Active Directory users to receive a warning and change their password from the Check Point VPN Client before their password expires, according to SKs sk33404 and sk89841.

I have an MDS environment, and I want to apply this configuration within a domain where I have 3 LDAP Account Units, but I intend to enable this functionality only on one of them so that VPN users can change their password through the client.

According to the documentation, the steps include:

  1. Enable in Global Properties → User Directory the option
    “Enable Password change when a user's Active Directory password expires”
    (some articles indicate this is also required to allow password change before expiration).

  2. Ensure the LDAP Account Unit is using the Microsoft_AD profile with:

    • SSL enabled (TCP 636)

    • Write data to this server enabled

    • DN with sufficient permissions to modify passwords

  3. If the AD does not have the Check Point LDAP schema extended, configure in GuiDBedit:

     
    Tables > Managed Objects > LDAP > Microsoft_AD > Common SupportOldSchema = 1

  4. (Optional, according to SK33404) In the LDAP Account Unit object where the change will be applied:

    • IsPasswordWarning = True

    • PasswordWarningTime = <number of days>

    • UseNativePwdParams = True

  5. 💡 My questions:

    1. SupportOldSchema interpretation:

      • If the AD does not have the extended schema → SupportOldSchema = 1

      • If the AD does have the extended schema → SupportOldSchema = 0
        Is this correct?

    2. Impact on other LDAP Account Units in the same domain:

      • Does enabling “Enable Password change when a user's AD password expires” on one LDAP Account Unit affect the other two LDAP Account Units?

      • Could changing SupportOldSchema on this LDAP Account Unit impact authentication or user queries for the other LDAP Account Units using the Microsoft_AD profile?

    3. Scope of warning parameters:

      • If I apply IsPasswordWarning, PasswordWarningTime, and UseNativePwdParams only to this LDAP Account Unit, does this affect any of the other LDAP Account Units that are not modified?

      • Will the other LDAP Account Units continue authenticating normally without any additional changes?

    4. Impact on VPN and active sessions:

      • Could enabling these changes on this LDAP Account Unit interrupt or log out active VPN users authenticating against this AD?

      • In other words, is it safe to enable these options in a production MDS environment without affecting existing sessions on other LDAP Account Units?

    Any confirmation or practical experience with this configuration would be greatly appreciated — especially in MDS environments with multiple LDAP Account Units and VPN users authenticating simultaneously.

    Thanks in advance 🙌

0 Kudos
2 Solutions

Accepted Solutions
the_rock
MVP Platinum
MVP Platinum
‎2025-10-14 09:00 PM
Jump to solution

Oldschema parameter option, you got that right. Does not affect other ldap account units if changed on one and no, ALREADY logged users would stay logged in.

Best,

Andy

Best,
Andy

View solution in original post

(1)
jennyado
Collaborator
‎2025-10-17 01:55 PM
In response to the_rock
Jump to solution

Based on the guidence recevied from TAC, these are my comments:

SupportOldSchema Parameter

  • This parameter is defined at the Microsoft_AD profile level:
    Tables → Managed Objects → LDAP → Microsoft_AD → Common

  • Any change to this value affects all LDAP Account Units using this profile.

  • Recommendation: create a duplicate profile (e.g., Microsoft_AD_PwdChange) and assign it only to the LDAP Account Unit where the password expiration functionality is needed.

Global Option: “Enable Password change when a user's AD password expires”

  • This setting enables password-change workflows across all LDAP Account Units globally.

  • Only properly configured LDAP Account Units (correct profile, SSL enabled, write permissions, schema handling) will actually use the feature.

  • Other LDAP Account Units continue operating normally.

 

 

View solution in original post

(1)
8 Replies
the_rock
MVP Platinum
MVP Platinum
‎2025-10-14 09:00 PM
Jump to solution

Oldschema parameter option, you got that right. Does not affect other ldap account units if changed on one and no, ALREADY logged users would stay logged in.

Best,

Andy

Best,
Andy
(1)
the_rock
MVP Platinum
MVP Platinum
‎2025-10-15 08:42 AM
In response to the_rock
Jump to solution

@jennyado 

I dont sadly have lab access atm as Im in Africa, but what I mentioned is my previous experience.

Best,

Andy

Best,
Andy
(1)
jennyado
Collaborator
‎2025-10-15 08:56 AM
In response to the_rock
Jump to solution

Thanks a lot for the reply — really appreciate you taking the time to share your experience, especially while abroad! 🌍
Your confirmation about the impact on other LDAP Account Units and active VPN users was super helpful.

Just to clarify one last thing:
When setting the SupportOldSchema value in

Tables > Managed Objects > LDAP > Microsoft_AD > Common

SupportOldSchema.png

it looks like this parameter applies to the Microsoft_AD profile itself, not to each individual LDAP Account Unit.

If that’s correct, then all LDAP Account Units that use this same profile would inherit that value, right?
I’m currently checking with the AD team whether their directory is using the extended Check Point schema or not, so I just want to confirm if changing this parameter would affect all LDAP Account Units in the domain that use the Microsoft_AD profile.

Would you confirm if this behavior is global per profile, and if creating a duplicate profile (for example, “Microsoft_AD_NoSchema”) would be the proper way to isolate it if needed?

Thanks again for your help and time!

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-10-15 09:03 AM
In response to jennyado
Jump to solution

Its no issue, raining here like crazy, so nothing better to do haha. Im sure that setting would indeed affect all account units. I do know one customer who added no schema value and it worked for them, but this was while ago, might be worth confirming with TAC.

Best,

Andy

Best,
Andy
(1)
jennyado
Collaborator
‎2025-10-15 04:43 PM
In response to the_rock
Jump to solution

Thanks a lot for your help and for taking the time to reply — really appreciate it!
I’ve already opened a TAC case to confirm how that behavior works in the latest versions, just to be fully sure before applying any change.

Enjoy the rest of your vacation (hopefully the rain lets up soon)! 🌧😄
Thanks again for the support!

the_rock
MVP Platinum
MVP Platinum
‎2025-10-15 04:51 PM
In response to jennyado
Jump to solution

Thank you! Yes, rain stopped, but its 1 am here, time to sleep lol

Cheers,

Andy

Best,
Andy
0 Kudos
jennyado
Collaborator
‎2025-10-17 01:55 PM
In response to the_rock
Jump to solution

Based on the guidence recevied from TAC, these are my comments:

SupportOldSchema Parameter

  • This parameter is defined at the Microsoft_AD profile level:
    Tables → Managed Objects → LDAP → Microsoft_AD → Common

  • Any change to this value affects all LDAP Account Units using this profile.

  • Recommendation: create a duplicate profile (e.g., Microsoft_AD_PwdChange) and assign it only to the LDAP Account Unit where the password expiration functionality is needed.

Global Option: “Enable Password change when a user's AD password expires”

  • This setting enables password-change workflows across all LDAP Account Units globally.

  • Only properly configured LDAP Account Units (correct profile, SSL enabled, write permissions, schema handling) will actually use the feature.

  • Other LDAP Account Units continue operating normally.

 

 

(1)
the_rock
MVP Platinum
MVP Platinum
‎2025-10-17 02:00 PM
In response to jennyado
Jump to solution

Excellent!

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events