How can I force a user to change their Password at next login?
If the Password is changed on the Setup >> System >> Users window and password expiry is active you will be asked if you wish to force the user to change their password on next login. If you say "yes" to this dialog, the system will change the date recorded as the last password changed date for that user to 01-Jan-1980.  This then forces the password to become expired and the user will be forced to change their password on next login.  Note that you must enable at least 1 grace login to allow them to change their password after it has expired.

Also there is an Extras Menu option available from the Setup >> System >> Users window. You may select this option from the menu bar to force the user to change their password without having to change the password.

Can I force all users to change their Passwords at next login?
There is an Extras Menu option available from the Setup >> System >> Users window.  You may select this option from the menu bar and change the dates recorded as the last password changed dates to 01-Jan-1980.  This then forces the passwords to become expired and the users will be forced to change their password on next login.  Note that you must enable at least 1 grace login to allow them to change their password after it has expired.

Why doesn't Password Expiry work for the 'sa' user?
The 'sa' user password cannot actually be changed from within Great Plains, it must be changed using the MS SQL Server Enterprise Manager.  Therefore it does not make sense for Omni Password to attempt to expire the password when it cannot be changed from Great Plains anyway.

I use other applications to access my SQL data, how can Omni Password help?
Normally, if you maintain the passwords from within Great Plains SQL versions, the passwords will be stored on the SQL Server encrypted.  This adds the ability to give a user access to the accounting system, but not to the data from any other application.  If access is required from another application then the passwords must be maintained via SQL Enterprise manager or some other method.  Omni Password now offers the ability to maintain the passwords from within the Great Plains application and store the passwords in the SQL Server without encryption.  This means you can have all the facilities of Omni Password AND still be able to use the same password from an external application, such as FRx or Crystal Reports.

Note: The option to store passwords without encryption is not available on v9.0 onwards due to the password security changes made in the core application.

I have turned on the "Store Passwords on SQL Server without encryption" option and it has not worked?
This option can only take effect when a password is changed after the option has been activated.  Omni Password will not update all users' password when the option is turned on.  Please change the user's password via Setup >> System >> Users or Setup >> User Preferences >> Password for the encryption to be removed.  You can confirm if the encryption has been removed if you can use the same login to connect via SQL Query Analyser.

Note: The option to store passwords without encryption is not available on v9.0 onwards due to the password security changes made in the core application.

I have turned on the "Store Passwords on SQL Server without encryption" option and the table is still encrypted?
The passwords in the SY_Users_MSTR (SY01400) table will always be encrypted as this is how the table is defined.  The bit that is not encrypted is the actual SQL Server passwords stored in the internal SQL Server system.  Because the actual SQL Server Password is no longer encrypted, you can use these Login ID's to connect to SQL Server from other applications, such as Crystal Reports, FRx and SQL Query Analyser.

Note: The option to store passwords without encryption is not available on v9.0 onwards due to the password security changes made in the core application.

What other features does Omni Password offer?
Omni Password can be used to lock users out of a company or the entire system when you need to perform system maintenance.  It can also pop up an "impending maintenance shut-down" warning to notify a user who is already logged in.  It also offers an Inactivity timeout feature to automatically log inactive users out of the system, without just killing them.  This can be very useful on a Citrix system when a user is disconnected.

How does Inactivity Timeout work?
As it is not actually possible to track inactivity with Dexterity, Omni Password's Inactivity Timeout feature works by tracking the last time any of a  number of common activities have occurred within the system and resetting a last activity date and time counter.  Activities such as opening tables and forms, and moving between records on a form will reset the counter. It then uses a periodic background process to check if there has been no activity for longer than the allowed time it will try and exit. 

When the Inactivity Timeout tries to exit, what happens to my work?
Omni Password tries to exit by replicating a user's actions to select File >> Exit from the menu. If any dialogs pop up, such as "Do you want to Save, Discard or Cancel", the automatic log out will stop.  It is too dangerous to force the log out when a user decision must be made first.

What exactly is Inactivity Timeout monitoring for activity?
The Inactivity Timeout feature resets its last activity counters when a Form, Report or Table is opened (trigger on Security global procedure), a table, SQL table or SQL stored procedure is opened or executed (triggers on Pathname, SQLPath, SQLScriptPath global procedures), or when a Window Note or Record Note is checked for (triggers on Check_For_Note and Check_For_Record_Note global procedures).  This will pick up most activities within Great Plains and prevent the Inactivity Timeout activating prematurely.

What can I do if the Inactivity Timeout is activating prematurely?
If the Inactivity Timeout is attempting to exit while a user is in fact no idle, it would be because they are not performing any of the activities the Inactivity Timeout feature is looking for.  To resolve this issue, you can either de-activate the Inactivity Timeout feature for the users in question using the Omni Tools Control Panel (Cards >> Omni Tools >> Control Panel) or you could use the following VBA code to update the counters.

This code must be placed on a VBA event which is commonly executed and so it will prevent the Inactivity Timeout from attempting to exit while the user is active.
 

'Dim CompilerApp As New Dynamics.Application
Dim CompilerApp As Object
Dim CompilerMessage As String
Dim CompilerError As Integer
Dim Commands As String

' Create link without having reference marked
Set CompilerApp = CreateObject("Dynamics.Application")

Commands = ""
Commands = Commands & "call with name ""WDC_Pathname_PRE"" in dictionary 2054;" & vbCrLf

' Execute SanScript
CompilerError = CompilerApp.ExecuteSanscript(Commands, CompilerMessage)
If CompilerError <> 0 Then
    MsgBox CompilerMessage
End If

Here is an example VBA package of this script used on the Reconcile Bank Statement window to prevent Inactivity Timeout from trying to exit while working on a large reconciliation.

Why do I get a Menu not found error when the Inactivity Timeout tries to exit?
Omni Password's Inactivity Timeout replicates the user selecting File >> Exit, by creating and executing a small macro file "on-the-fly".  This macro tries to select the menu choice for File >> Exit. We have found that a translated runtime may not use the same words ie. "File" and "Exit" and can cause the macro to fail.  Version 6.0 and version 7.X builds allow you to use the modifier to change the following messages; 22673 = "File" and 22674 = "Exit.  If you change these to match the correct wording for your runtime, the issue will be resolved.

This is no longer an issue on v8.0 onwards due to the change in the menu implementation.

Everything is setup correctly but Inactivity Timeout is not working?
The Inactivity Timeout uses a small macro file which it creates and executes "on-the-fly" to replicate the user selecting File >> Exit. This macro file was written into the application folder, the latest builds from version 7.50 onwards will now use the current user's temp folder. 

If you have denied write permission to the application folder with the earlier builds it can prevent the Inactivity Timeout from exiting as it is unable to create the macro file it needs.  The latest builds of version 7.5 onwards will also log the issue or failing to create the macro file, if the WDC_Debug setting in the Dex.ini file is set to LOG.

How long should it take for the Inactivity Timeout to work?
The Inactivity Timeout feature relies on the Automatic Check (WDC_Periodic_Check) process to execute on a regular basis. It is this check which will decide if it is time to attempt to exit once the inactivity period has expired. So the time to exit will be between the Inactivity Timeout setting and the Inactivity Timeout setting plus the Automatic Check period. It will be the first Automatic Check that executes after the Inactivity Timeout period is over.

What does the WDC_Periodic_Check process do and will it slow me down?
Omni Password's Inactivity Timeout and System Maintenance Lockout features both with the WDC_Periodic_Check timed background process to allow them to check the status of the system every X minutes.  The time is set in the Omni Password Options window.  The process runs very fast and will only execute once every few minutes, so no it will not slow your system down.

Can Omni Password be linked to the NT Password?
Sadly, it is not possible to link to the Windows or Active Directory passwords at this stage.  However, it can be a benefit to have an extra password as an additional line of security between the Financial system and the rest of the world.

This is because Omni Password sits on top of the Great Plains password functionality which only supports SQL Authentication.

Can Omni Password prevent access after a number of failed attempts?
Even though this feature has been requested a number of times, it is not technically possible from inside a SQL based application.  To deny access after a number of failed attempts we need to be able to store the number of attempts and also store a setting to say whether access is now denied as well as read how many attempts are allowed.  To store this information requires access to the SQL data so it can be written to a table, and that is precisely what we don't have access to.

As you can see this is a "Catch - 22" situation, only the SQL Server itself can implement this type of functionality.  We believe that SQL Server 2005 will have this ability.

Why does an Omni Password feature fail to work?
There are three main reasons for an Omni Password feature not to work: 1) It has not been setup correctly, but as the user interface is very simple, it is fairly unlikely; 2) The Omni Tools dictionary is not installed on all workstations, Omni Password can only work on a workstation when it is actually installed on that workstation; 3) The feature has been disabled for the system, company, user or user and company using the Omni Tools Control Panel (Cards >> Omni Tools >> Control Panel).

What happens with Omni Password when using SQL Server 2005 and Microsoft Dynamics GP 9.0?
The Great Plains password functionality only works for Microsoft Dynamics GP 9.0 AND SQL Server 2005 AND Windows Server 2003 with Active Directory. If you have all of this, then you can use the GP password functionality. If you have Omni Password active as well, you will need to meet the requirements of both Omni Password and the standard password functionality. Omni Password will strengthen the standard password functionality with its additional password policy options, as well as its Inactivity Timeout and System Maintenance Lockout features.

Note: The option to store passwords without encryption is not available on v9.0 onwards due to the password security changes made in the core application.

I have deleted some users from Great Plains, why do they still show in the WDC11140 table?
This issue has been resolved in the 02-Feb-2006 builds (and later) of Version 8.0 onwards of Omni Password.  Omni Password was not detecting the deletion of the user as it was being performed by a stored procedure rather than from the Great Plains code itself. This situation is now handled and users deleted from this build onwards will be deleted from the Omni Password tables as well. To cleanup old entries in the table you can run the following script:

DELETE A FROM DYNAMICS.DBO.WDC11140 A LEFT JOIN DYNAMICS.DBO.SY01400 B ON B.USERID = A.USERID WHERE B.USERID IS NULL

What Security Access is required for a user to be able to change their own password?
The user will need access to the User Preferences window in the Company Series of the Great Plains dictionary and User Password Setup in the System Series of the Great Plains dictionary.  You can use Advanced or Standard security to make the changes. Advanced Security can be used to easily check if all users have access by selecting each window in turn in the tree and checking statuses shown against the users and classes.