none
RSOP: Interactive logon: Prompt user to change password before expiration

    Question

  • Hi,

    I am trying to implement a GPO so that users are prompted to change their password 5 days before it expires. I have done this via -

    Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Enabled Interactive Logon: Prompt user to change password before expiration

    Despite doing the above the GPO does not seem to be taking effect. I have run RSOP on my machine and a few users machines and can see that there is a red circle with an X next to Interactive Logon: Prompt user to change password before expiration.

    Below is my winlogon.log file but I am not really sure what I am supposed to be looking for. Can anyone help?

    **************************

    Make a local copy of \\**************.co.uk\sysvol\**************.co.uk\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.

    GPLinkSite GPO_INFO_FLAG_BACKGROUND )

    Make a local copy of \\**************.co.uk\sysvol\**************.co.uk\Policies\{91EDC47D-AACF-4DFE-B044-5D29500CECBE}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.

    GPLinkDomain GPO_INFO_FLAG_BACKGROUND )

    Make a local copy of \\**************.co.uk\SysVol\**************.co.uk\Policies\{DDE2DDB7-9802-415B-819E-1ADA496DC3E6}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.

    GPLinkDomain GPO_INFO_FLAG_BACKGROUND )

    Make a local copy of \\**************.co.uk\sysvol\**************.co.uk\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.

    GPLinkDomain GPO_INFO_FLAG_BACKGROUND )

    Make a local copy of \\**************.co.uk\SysVol\**************.co.uk\Policies\{6422C1A4-D958-4F4B-A8AA-EBACC567BD19}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.

    GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )

    No template is defined in GPO \\**************.co.uk\SysVol\**************.co.uk\Policies\{43F654AA-56D5-4F2C-B357-1AFEE03D37F2}\Machine.

    Process GP template gpt00000.inf.

    This is not the last GPO.

    -------------------------------------------

    08 March 2015 23:06:35

                    Copy undo values to the merged policy.

    ----Un-initialize configuration engine...

    Process GP template gpt00001.dom.

    This is not the last GPO.

    -------------------------------------------

    08 March 2015 23:06:36

    ----Un-initialize configuration engine...

    Process GP template gpt00002.dom.

    This is not the last GPO.

    -------------------------------------------

    08 March 2015 23:06:36

    ----Un-initialize configuration engine...

    Process GP template gpt00003.dom.

    This is not the last GPO.

    -------------------------------------------

    08 March 2015 23:06:36

    ----Un-initialize configuration engine...

    Process GP template gpt00004.inf.

    -------------------------------------------

    08 March 2015 23:06:36

    ----Configuration engine was initialized successfully.----

    ----Reading Configuration Template info...

    ----Configure User Rights...

                    Configure S-1-5-32-544.

                    Configure S-1-5-21-778002760-1239436532-1307212239-1002.

                    Configure S-1-5-21-778002760-1239436532-1307212239-1016.

                    Configure S-1-5-21-778002760-1239436532-1307212239-4078.

                    Configure S-1-5-21-778002760-1239436532-1307212239-512.

                    Configure S-1-5-21-778002760-1239436532-1307212239-500.

                    Configure S-1-5-21-778002760-1239436532-1307212239-513.

                    User Rights configuration was completed successfully.

    ----Configure Group Membership...

                    Configure **************\Local Admins for Users.

                                    old memberof tattoo list: *S-1-5-32-555,*S-1-5-32-544,

                                    object already member of Administrators.

                                    object already member of Remote Desktop Users.

                                    new memberof tattoo list: *S-1-5-32-555,*S-1-5-32-544,

                    Group Membership configuration was completed successfully.

    ----Configure Security Policy...

                    Configure password information.

                    Configure account force logoff information.

                    System Access configuration was completed successfully.

                    Configure machine\software\microsoft\windows nt\currentversion\winlogon\passwordexpirywarning.

                    Configure machine\software\microsoft\windows\currentversion\policies\system\enableinstallerdetection.

                    Configuration of Registry Values was completed successfully.

                    Audit/Log configuration was completed successfully.

    ----Configure available attachment engines...

                    Configuration of attachment engines was completed successfully.

    ----Un-initialize configuration engine...

    this is the last GPO.

    **************************

    Make a local copy of \\**************.co.uk\sysvol\**************.co.uk\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.

    GPLinkSite GPO_INFO_FLAG_BACKGROUND )

    Make a local copy of \\**************.co.uk\sysvol\**************.co.uk\Policies\{91EDC47D-AACF-4DFE-B044-5D29500CECBE}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.

    GPLinkDomain GPO_INFO_FLAG_BACKGROUND )

    Make a local copy of \\**************.co.uk\SysVol\**************.co.uk\Policies\{DDE2DDB7-9802-415B-819E-1ADA496DC3E6}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.

    GPLinkDomain GPO_INFO_FLAG_BACKGROUND )

    Make a local copy of \\**************.co.uk\sysvol\**************.co.uk\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.

    GPLinkDomain GPO_INFO_FLAG_BACKGROUND )

    Make a local copy of \\**************.co.uk\SysVol\**************.co.uk\Policies\{6422C1A4-D958-4F4B-A8AA-EBACC567BD19}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.

    GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )

    No template is defined in GPO \\**************.co.uk\SysVol\**************.co.uk\Policies\{43F654AA-56D5-4F2C-B357-1AFEE03D37F2}\Machine.

    Process GP template gpt00000.inf.

    This is not the last GPO.

    -------------------------------------------

    09 March 2015 16:26:51

                    Copy undo values to the merged policy.

    ----Un-initialize configuration engine...

    Process GP template gpt00001.dom.

    This is not the last GPO.

    -------------------------------------------

    09 March 2015 16:26:51

    ----Un-initialize configuration engine...

    Process GP template gpt00002.dom.

    This is not the last GPO.

    -------------------------------------------

    09 March 2015 16:26:51

    ----Un-initialize configuration engine...

    Process GP template gpt00003.dom.

    This is not the last GPO.

    -------------------------------------------

    09 March 2015 16:26:51

    ----Un-initialize configuration engine...

    Process GP template gpt00004.inf.

    -------------------------------------------

    09 March 2015 16:26:51

    ----Configuration engine was initialized successfully.----

    ----Reading Configuration Template info...

    ----Configure User Rights...

                    Configure S-1-5-32-544.

                    Configure S-1-5-21-778002760-1239436532-1307212239-1002.

                    Configure S-1-5-21-778002760-1239436532-1307212239-1016.

                    Configure S-1-5-21-778002760-1239436532-1307212239-4078.

                    Configure S-1-5-21-778002760-1239436532-1307212239-512.

                    Configure S-1-5-21-778002760-1239436532-1307212239-500.

                    Configure S-1-5-21-778002760-1239436532-1307212239-513.

                    User Rights configuration was completed successfully.

    ----Configure Group Membership...

                    Configure **************\Local Admins for Users.

                                    old memberof tattoo list: *S-1-5-32-555,*S-1-5-32-544,

                                    object already member of Administrators.

                                    object already member of Remote Desktop Users.

                                    new memberof tattoo list: *S-1-5-32-555,*S-1-5-32-544,

                    Group Membership configuration was completed successfully.

    ----Configure Security Policy...

                    Configure password information.

                    Configure account force logoff information.

                    System Access configuration was completed successfully.

                    Configure machine\software\microsoft\windows nt\currentversion\winlogon\passwordexpirywarning.

                    Configure machine\software\microsoft\windows\currentversion\policies\system\enableinstallerdetection.

                    Configuration of Registry Values was completed successfully.

                    Audit/Log configuration was completed successfully.

    ----Configure available attachment engines...

                    Configuration of attachment engines was completed successfully.

    ----Un-initialize configuration engine...

    this is the last GPO.


    Jeet S

    Tuesday, March 10, 2015 3:23 PM

Answers

  • ******UPDATE******

    I think I have managed to get this working. I changed the source of the policy to a different GPO. I then did the following -

    From a command prompt run gpupdate (without the force parameter)

    Ran rsop.msc and checked the policy and this time there was no red circle with an X

    Have done the same on a few users machines and it appears to apply successfully. I say this because when you go into the properties for the policy you see the following -

    The policy XYZ was correctly applied

    Just have to wait and see if it actually does what it says on the can.


    Jeet S

    Tuesday, March 10, 2015 3:42 PM

All replies

  • ******UPDATE******

    I think I have managed to get this working. I changed the source of the policy to a different GPO. I then did the following -

    From a command prompt run gpupdate (without the force parameter)

    Ran rsop.msc and checked the policy and this time there was no red circle with an X

    Have done the same on a few users machines and it appears to apply successfully. I say this because when you go into the properties for the policy you see the following -

    The policy XYZ was correctly applied

    Just have to wait and see if it actually does what it says on the can.


    Jeet S

    Tuesday, March 10, 2015 3:42 PM
  • Hi,

    >>Just have to wait and see if it actually does what it says on the can.

    It's been a while. I think that the issue is gone and mark the reply as answer. However, if the issue persists, please don't hesitate to let us know.

    Best regards,
    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, March 19, 2015 3:03 AM
    Moderator