none
Not being prompted to change the expiring password for my Active Directory domain account

    Question

  • My computer is joined to our Active Directory (2003) domain. I have an AD user account with password expiry enabled. I normally get 14 days notice to change my password, but since I installed Windows 7 Enterprise, no message appears either during logon or in the Action Center.

    I have XP Mode installed. I also have VMWare machines, RDP, Windows 2003 Terminal Services & Windows 2003 Citrix environments. All of these prompt me to change my password.

    There are only two other Win7 machines on our domain, both only just added. I do not yet know whether the problem occurs on these machines as I haven't been able to borrow them to do testing. I also don't have any test user accounts with expired/expiring passwords.

    I can't find this problem mentioned anywhere in the Knowledgebase or in any online forums. Has anybody else seen this, or know why it might be happening and how to fix it?
    • Moved by Bikesh TMicrosoft Support Wednesday, February 17, 2010 2:21 PM Best suited in the queue (From:Windows 7 Security, Privacy, and User Accounts)
    Tuesday, February 16, 2010 5:46 PM

Answers

  • Hello,

    logon to the computer and check with rsop.msc on the problem machine to see if the GPO setting is correctly applied.
    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
    Sunday, February 21, 2010 12:38 PM

All replies

  • Hello,

    logon to the computer and check with rsop.msc on the problem machine to see if the GPO setting is correctly applied.
    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
    Sunday, February 21, 2010 12:38 PM
  • Hi there,
    I have the same problem. All the other policies appear to be working (password age, length, complexity, history etc. ). Password is prompting me on win2003 and XP machines. However, windows 7 does not prompt me. The windows 7 machines are part of the domain. Any ideas?

    thanks.
    Wednesday, March 17, 2010 12:43 AM
  • Hello,

    did you logon to the computer and check with rsop.msc on the problem machine to see if the GPO setting is correctly applied? Is the computer in an OU where the GPO containing the setting, Computer configuration, Windows settings, security settings, local policies, security options, "Interactive logon: Prompt user to change...................." is linked to?
    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
    Wednesday, March 17, 2010 9:19 AM
  • Hi !
    I have exactly same problem.
    Yes - I have check with GPMC:
    option Prompt user to change - before 5 days
    is linked.
    But user is not prompted.
    Any suggestions ?
    Monday, March 29, 2010 8:48 AM
  • Hello,

    did you also check with rsop.msc that the GPO is listed as appplied, when logged on as a user? GPMC will only show the configured GPO, but NOT if it is applied from the user/workstation.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, March 29, 2010 11:37 AM
  • Hello Meinolf Weber,

     

    I have the same problem and have checked for all the above options that you have mentioned and it all appears as it should. I have no issues with w2k3 users logging in. It only happens to the users who login via RDP  on the win 2k8 servers. Thanks

    Thursday, April 01, 2010 3:06 AM
  • Hello,

    if users logon to a Terminal servers, basically you have to configure the GPOs for the TS with loopback functionality so they use the user settigns also on the TS, is this the case?


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
    Thursday, April 01, 2010 8:20 AM
  • Hello.  I have the same problem.  I cannot get my Windows 7 Enterprise clients to prompt the user to change their expiring password.  We have Windows 2003 server as a domain controller.  All Group Policy appears correct and both the GP Results Wiz and RSOP.msc show that the settigns have applied correctly to the Windows 7 computers.  We have set the policy on the Win7 computers to 14 days to match the server setting.  Still no prompt.
    What we see happening is people with smartphones are calling the help desk on a regular basis now and complaining that their phones are prompting for a new password.  We need the password expiration prompting to work so we stay connected properly as the loss of email to our mobile devices is hurting business.

     


    James Nelson
    Monday, April 19, 2010 7:45 PM
  • please check with Action Center.
    kesav
    Wednesday, May 12, 2010 7:13 AM
  • Hey all,

    Make sure you have configured the "Interactive logon: Prompt user to change password before expiration". It is located in local policies/security options.

    Although it says default is 14 days if you don't configure this, I had configure this for my windows 7 machines to start notifying me. It fixed my issue.

    • Proposed as answer by stan650 Thursday, May 13, 2010 12:32 AM
    Thursday, May 13, 2010 12:31 AM
  • Hi All,

    Stan650's fix doesn't work for me, even by running RSOP as Admin I'm unable to change the 'interactive logon...' option; it's completely greyed out.

    The system is in the correct OU etc.

    Monday, May 17, 2010 10:53 AM
  • From what I can see in my environment Windows 7 will not prompt for the password change. I have about 120 machines 1/2 of which are Win7 Professional and the rest XP prof. If you login to a 7 machine and go unprompted on a need for password change then try again on a XP machine you'll see it work on XP. So the policies etc are all fine. It's just the Windows 7 enviroment using a 2003 AD that seems to be the problem.

     

    Thus far it looks like this issue is going unanswered from the responses I see.

     

     

    Brian

    Thursday, May 20, 2010 5:57 PM
  • i was unable to repro the issue you mention. my win 7 machine was joined into 2003 AD and successfully receive the notification to change password after i login.

    please note that:

    in XP, after you enter credential and enter, the notification to change password will appear before the desktop come out.

    while in Win 7, the behavior has changed. The notification only appear after you have logged in. Please note that the notification to change password has changed to a balloon notification appearing at the taskbar. It will only appear for few seconds. If you click the balloon, nothing will happen. The balloon stated "Please click CTRL + ALT + DEL to change the password".

    Tuesday, May 25, 2010 12:56 AM
  • I had the same issue.  I was able to reproduce it, if I had the UAC turned off.  When it was turned on, the notification would work.  Then I called MS Support and it started working correctly whether UAC was turned on or off.  Either way, I put together a VBS script that goes in to your GPO that displays a popup window telling the user their password expires in # days and that the user MUST click OK to dismiss.

    It goes in the GPO - User Config - Policies - Admin Templates - System - Logon - Run these programs at user logon.  You will also need to add the folder location to IE Trusted Sites to avoid having a popup asking if it should run the script.

    PwExpChk.vbs

        '========================================
        ' First, get the domain policy.
        '========================================
        Dim oDomain
        Dim oUser
        Dim maxPwdAge
        Dim numDays
        Dim warningDays

        warningDays = 6
      
        Set LoginInfo = CreateObject("ADSystemInfo") 
        Set objUser = GetObject("LDAP://" & LoginInfo.UserName & "") 
        strDomainDN = UCase(LoginInfo.DomainDNSName)
        strUserDN = LoginInfo.UserName

       
        Set oDomain = GetObject("LDAP://" & strDomainDN)
        Set maxPwdAge = oDomain.Get("maxPwdAge")

        '========================================
        ' Calculate the number of days that are
        ' held in this value.
        '========================================
        numDays = CCur((maxPwdAge.HighPart * 2 ^ 32) + _
                        maxPwdAge.LowPart) / CCur(-864000000000)
        'WScript.Echo "Maximum Password Age: " & numDays
       
        '========================================
        ' Determine the last time that the user
        ' changed his or her password.
        '========================================
        Set oUser = GetObject("LDAP://" & strUserDN)

        '========================================
        ' Add the number of days to the last time
        ' the password was set.
        '========================================
        whenPasswordExpires = DateAdd("d", numDays, oUser.PasswordLastChanged)
        fromDate = Date
        daysLeft = DateDiff("d",fromDate,whenPasswordExpires)
       
        'WScript.Echo "Password Last Changed: " & oUser.PasswordLastChanged

        if (daysLeft < warningDays) and (daysLeft > -1) then
            Msgbox "Password Expires in " & daysLeft & " day(s)" & " at " & whenPasswordExpires & chr(13) & chr(13) & "Once logged in, press CTRL-ALT-DEL and" & chr(13) & "select the 'Change a password' option", 0, "PASSWORD EXPIRATION WARNING!"
        End if

        '========================================
        ' Clean up.
        '========================================
        Set oUser = Nothing
        Set maxPwdAge = Nothing
        Set oDomain = Nothing

    Friday, July 09, 2010 12:19 AM
  • I was able to get my Windows 7 clients to prompt when the password is going to expire in 14 days through GPO Policies. But if the user does not change their password with 1 day left they have to call our helpdesk to have thier password reset

    XP users are forced to change thier password at the logon screen once the password is expired.

    Can you tell me if your Win7 users are forced to change thier passwords once the password is expired, or if they have to contact the helpdesk or admin to have thier passwords reset if they keep ignoring the message

    Tuesday, July 13, 2010 3:44 PM
  • I ignored the password expiring message and let my password completely expire.  The day after when I went to sign on, I was forced to change the password.  So it works on my systems.

    Are your users actually logging out, or do they just leave their machine logged in and locked over night?  If they leave them logged in and the password expires, then their account will probably get locked out due to the workstation using an expired password after a while.

    Monday, August 02, 2010 4:01 PM
  • Hello,

    I had this problem recently as well & it drove me mad.  We are using Windows Server 2008 Domain Controllers and the Password Policy set at Domain level worked fine until we upgraded the client machines from Windows XP to Windows 7.  The policy itself seemed to work - i.e. user accounts were expiring after 120 days as per the policy setting, but the "Interactive Logon: Prompt User to change password before expiration 14 days" wasn't working for our Windows 7 clients.

    After lots of testing & forum searching I worked out that you have to use a Fine-Grained password policy now & set the policy at the User Group level - it doesn't work if you set it at the Domain level or at OU level.  Because our user groups change annually (as we are a school) and I didn't want the administrative burden of remembering to do this at the start of every academic year, I used this free program which enabled me to use the security groups which all our domain usergroups are already members of: http://www.specopssoft.com/documentation/specops-password-policy-basic-documentation

    Hope this helps

    Monday, October 18, 2010 9:09 AM
  • All,

    I have this problem so basically everyone had some kind of other solution be a 3rd party utility or a script but we don't know why Windows 7 who is a member of AD that is 2003 or 2008 doesn't prompt that a password is about to expired in number of x days.

    I am still looking for a Microsoft solution cause SP1 didn't solve this.

    Wednesday, October 26, 2011 5:41 PM
  • Massara, I had the same issue, and I think the answer you and I were looking for is what stan650 mentioned above.  It wasn't defined for my users even though the XP users get prompted within 14 days of expiry.  I made the change and hopefully will see results..

     

    <blockquote>
    <p>Hey all,</p>
    <p>Make sure you have configured the "Interactive logon: Prompt user to change password before expiration". It is located in local policies/security options.</p>
    <p>Although it says default is 14 days if you don't configure this, I had configure this for my windows 7 machines to start notifying me. It fixed my issue.</p>
    </blockquote>
    <br />

    Friday, October 28, 2011 6:49 PM
  • I noticed this issue and asked our Microsoft TAM to look into it.  He found two things that I think we were all missing:

    1) In Windows 7, the message appears as a "toast" (ie: a pop-up message in the bottom right corner of the screen) and it only displays for a few seconds.  Your users are probably getting the message, but they don't notice it because it is no longer an intrusive part of the login process.

    2) In Windows 7, if you don't define this with a GPO, the default will be 5 days, as opposed to 14 days for XP clients.

    Hope this helps!

    Tuesday, November 01, 2011 6:47 PM
  • So Motiionblurrr hit it on the mark.

    The problem is not Windows 7 doesn't prompt to change password it does.  The problem it isn't as intrusive as Windows XP or previous Windows.

    It appears on the System Tray next to the computer clock and disappear.

    So lets say I log into the machine and I know it will take a few minutes so I get a cup of coffee.

    So I then leave my desk not knowing a pop up appeared and disappeard in the system tray.


    • Edited by Massara Wednesday, November 02, 2011 2:37 PM
    Wednesday, November 02, 2011 2:37 PM
  • This is an old post, but I finally updated my script to take in to consideration non-expiring passwords.


        '==========================================
        ' Check for password expiring notification
        '==========================================
        ' First, get the domain policy.
        '==========================================
        Dim oDomain
        Dim oUser
        Dim maxPwdAge
        Dim numDays
        Dim warningDays

        warningDays = 6
      
        Set LoginInfo = CreateObject("ADSystemInfo") 
        Set objUser = GetObject("LDAP://" & LoginInfo.UserName & "") 
        strDomainDN = UCase(LoginInfo.DomainDNSName)
        strUserDN = LoginInfo.UserName

        '========================================
        ' Check if password is non-expiring.
        '========================================
        Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
        intUserAccountControl = objUser.Get("userAccountControl")
        If intUserAccountControl And ADS_UF_DONT_EXPIRE_PASSWD Then
            'WScript.Echo "The password does not expire."
        Else
       
            Set oDomain = GetObject("LDAP://" & strDomainDN)
            Set maxPwdAge = oDomain.Get("maxPwdAge")

            '========================================
            ' Calculate the number of days that are
            ' held in this value.
            '========================================
            numDays = CCur((maxPwdAge.HighPart * 2 ^ 32) + _
                            maxPwdAge.LowPart) / CCur(-864000000000)
            'WScript.Echo "Maximum Password Age: " & numDays
       
            '========================================
            ' Determine the last time that the user
            ' changed his or her password.
            '========================================
            Set oUser = GetObject("LDAP://" & strUserDN)

            '========================================
            ' Add the number of days to the last time
            ' the password was set.
            '========================================
            whenPasswordExpires = DateAdd("d", numDays, oUser.PasswordLastChanged)
            fromDate = Date
            daysLeft = DateDiff("d",fromDate,whenPasswordExpires)
       
            'WScript.Echo "Password Last Changed: " & oUser.PasswordLastChanged

            if (daysLeft < warningDays) and (daysLeft > -1) then
                Msgbox "Password Expires in " & daysLeft & " day(s)" & " at " & whenPasswordExpires & chr(13) & chr(13) & "Once logged in, press CTRL-ALT-DEL and" & chr(13) & "select the 'Change a password' option", 0, "PASSWORD EXPIRATION WARNING!"
            End if

        End if

        '========================================
        ' Clean up.
        '========================================
        Set oUser = Nothing
        Set maxPwdAge = Nothing
        Set oDomain = Nothing

    Thursday, March 22, 2012 8:02 PM
  • Actually. It will not appear in the System Tray if "icons and notification are set to Hidden."  That's right no balloon pop up on a windows 7 pro machine. But if you expand the hidden arrow icon you will see the password notification there.

    I think this might be the answer as stated above:

    "Fine-Grained password policy now & set the policy at the User Group level"



    • Edited by Jon.Snow Tuesday, August 14, 2012 4:19 PM
    Wednesday, May 16, 2012 8:19 PM
  • Hi Jon.Snow, so if you use a Fin-Grained password policy, do users actually get a message on the logon screen like "you password will expire in X days, do you want to change it now?" ? like it does on XP?

    We see the balloon notifications, but it's very easy for users to miss, and only appears after logging on, we end up with a log of users that stay logged on for a week and don't see the balloon at all, currently  "Interactive logon: Prompt user to change password before expiration" is set to 4 days, I'm changing that to 10 days now.

    Tuesday, May 29, 2012 10:01 PM
  • It would be nice to change the notification (officially through Microsoft) for users on this.  Users simply ignore the notification area, or think it is for unimportant items, or as previously mentioned, are doing other tasks.  This is too critical a function to leave to this part of the notification area.

    Also if "icons and notification are set to Hidden." or the user sets them to be hidden and it truly isn't showing up, how is this rational??!!  Many people do not want to be bothered by status icons, but would like critical notifications like this.

    Wednesday, June 06, 2012 5:40 PM
  • I had the same issue but I also had balloon notifications disabled in the User GPO so couldn't see the popup balloon prompting the user to change password.

    User Config\policies\administrative templates\ start menu and taskbar\Turn off balloon notifications



    • Edited by pcoogan Tuesday, September 03, 2013 1:07 AM
    Tuesday, September 03, 2013 12:45 AM