none
Windows 7 PCs not prompting for password expiration (Default Domain Policy)

    Question

  • We have our Default Domain Policy GPO linked to our top level domain.

    Within the Default Domain Policy we have a computer policy for password expiration (Computer>Policies>Windows Settings>Security Settings>Account Policies/Password Policy). This GPO seems to push fine to all Windows XP machines and servers that are in any sub OU in our domain.

    We have an OU titled Workstations where we move computer objects added to the domain. We then have sub-OUs inside Workstations to further organize and control our computers. (Domain>Workstations>Workstations - Woodbury)

    In our migration from Windows XP to Windows 7 any new W7 machine that is added to the domain is moved from the default Computers OU (not listed in GPM, only in AD) to Domain>Workstations>Workstations - Woodbury.

    Any W7 machine that is added to that sub-ou (workstations - woodbury) is not prompting for password expiration. When I go to the Workstations - Woodbury OU and choose Group Policy Inheritance I see that Default Domain Policy location is our domain, GPO status is enabled and WMI filter is none. This leads me to believe that my OU I have created is successfully inheriting the default domain policy and any machine should be prompted for password expiration however they are not. 

    Please note that ALL other computer objects in ANY other OU are prompting for password changes just NOT the machines in my sub-OU (all windows 7 computers).

    I am new to group policy management so I apologize if my analysis/description of the issue is not as detailed as it might need to be. I can provide logs and further information if needed. 

    Please help!

    Wednesday, May 06, 2015 5:10 PM

Answers

  • Hi Chris,

    Accordingt to your description, I think the group policy has been applied successfully on your clients.

    Please be aware that the password expire notification on the Windows 7 is different from the XP clients. In the Windows 7, there's no pop up notification window again, instead it will just a message shown as the picture below:

     You can check the below link for more reference:

    http://shabaztech.com/windows-7-password-expiry-email-notification/

    Hope it helps.

    Best Regards,

    Elaine


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, May 14, 2015 3:22 AM
    Moderator

All replies

  • What is resulting group policy on all workstations? Chances are that there is a rule that block inheritance.

    Regards

    Milos

    Wednesday, May 06, 2015 6:22 PM
  • My own computer object is located in the same OU that are not getting prompted for password change.

    I run the group policy results wizard on our DC for my pc name and my username. My computer object is located in the same sub-ou that is having the password issue.

    The Computer Config Summary>GPO>Applied GPOs contains the Default Domain Policy so it IS pushing successfully to the objects in my sub-ou. The link location is my top level domain which is correct.

    Not sure why creating a new OU under an existing OU would cause the password notification to break. The complexity requirement, days to expire all work correctly - it is simply the notification that the password is expiring.

    I did read to set this section in the DDP GPO: Computer Configuration\Windows Settings\Security Settings\local policies - Security Options "Interactive logon: Prompt user to change password before expiration".

    However I am not sure this is the solution because it was not previously set and user's will still be prompted to changed password but just NOT in Windows 7.

    Wednesday, May 06, 2015 7:39 PM
  • Hi Chris,

    Accordingt to your description, I think the group policy has been applied successfully on your clients.

    Please be aware that the password expire notification on the Windows 7 is different from the XP clients. In the Windows 7, there's no pop up notification window again, instead it will just a message shown as the picture below:

     You can check the below link for more reference:

    http://shabaztech.com/windows-7-password-expiry-email-notification/

    Hope it helps.

    Best Regards,

    Elaine


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, May 14, 2015 3:22 AM
    Moderator