We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

Password Expiration notices wrong

ixoni
ixoni asked
on
Medium Priority
560 Views
Last Modified: 2008-02-07
Server 2003 network, XP SP2 Clients. Occasionally  some of my users are getting password expiration notices that are totally wrong, like for 90 days or 200 days etc. They should just be getting them 14 days before the expiration.

Any help for this?
Comment
Watch Question

Commented:
Maybe the number of days before the warning comes up is configured to something else than the default of 14 days?

http://www.jsifaq.com/SUBS/tip9200/rh9205.htm

The following VB-script looks at the domain information and shows you the real time expiration is due.
Got this script from http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnclinic/html/scripting09102002.asp

Copy it to a file with .VBS extension and run it with the current user account experiencing the problem.

---
On Error Resume Next

Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
Const E_ADS_PROPERTY_NOT_FOUND  = &h8000500D
Const ONE_HUNDRED_NANOSECOND    = .000000100
Const SECONDS_IN_DAY            = 86400

Set objADSystemInfo = CreateObject("ADSystemInfo")              ' LINE 8
Set objUser = GetObject("LDAP://" & objADSystemInfo.UserName)   ' LINE 9

intUserAccountControl = objUser.Get("userAccountControl")
If intUserAccountControl And ADS_UF_DONT_EXPIRE_PASSWD Then
    WScript.Echo "The password does not expire."
    WScript.Quit
Else
    dtmValue = objUser.PasswordLastChanged
    If Err.Number = E_ADS_PROPERTY_NOT_FOUND Then
        WScript.Echo "The password has never been set."
        WScript.Quit
    Else
        intTimeInterval = Int(Now - dtmValue)
        WScript.Echo "The password was last set on " & _
          DateValue(dtmValue) & " at " & TimeValue(dtmValue)  & vbCrLf & _
          "The difference between when the password was last" & vbCrLf & _
          "set and today is " & intTimeInterval & " days"
    End If

    Set objDomain = GetObject("LDAP://" & objADSystemInfo.DomainDNSName)
    Set objMaxPwdAge = objDomain.Get("maxPwdAge")

    If objMaxPwdAge.LowPart = 0 Then
        WScript.Echo "The Maximum Password Age is set to 0 in the " & _
                     "domain. Therefore, the password does not expire."
        WScript.Quit
    Else
        dblMaxPwdNano = _
            Abs(objMaxPwdAge.HighPart * 2^32 + objMaxPwdAge.LowPart)
        dblMaxPwdSecs = dblMaxPwdNano * ONE_HUNDRED_NANOSECOND
        dblMaxPwdDays = Int(dblMaxPwdSecs / SECONDS_IN_DAY)
        WScript.Echo "Maximum password age is " & dblMaxPwdDays & " days"

        If intTimeInterval >= dblMaxPwdDays Then
            WScript.Echo "The password has expired."
        Else
            WScript.Echo "The password will expire on " & _
              DateValue(dtmValue + dblMaxPwdDays) & " (" & _
              Int((dtmValue + dblMaxPwdDays) - Now) & " days from today)."
        End If
    End If
End If
---

Commented:
Oh yeah, also remember that the only Group Policy effectively controlling Password policy is the Default Domain policy or policies applied to the Domain Controllers. Any other GPO's have no effect on password policy.

http://support.microsoft.com/kb/269236/en-us
CERTIFIED EXPERT
Top Expert 2006

Commented:
Hi ixoni,
what password policy do you have configured and where exactly - are all clients affected?

Cheers!

Commented:
@JayJay: password policies apply only to domain controllers, and therefore all user accounts within the same domain share the same password policy. See link above.

Author

Commented:
Policy Setting
Enforce password history 18 passwords remembered
Maximum password age 90 days
Minimum password age 1 days
Minimum password length 7 characters
Password must meet complexity requirements Enabled
Store passwords using reversible encryption Enabled

We have a small 85 user domain.  The policy is set at the default domain level. All of the users are in one OU in the domain. I don't think this is a polciy issue since I have not changed that for a year. Seems like more of a bug or something. Has happened to two users recently.

Commented:
So the actual message users get when logging on looks like: "WARNING!!!! Your password will expire in 80 days!!!!!" ;-)

Right?
CERTIFIED EXPERT
Top Expert 2006

Commented:
rant32,

i dont debate that point at all, but i have seen multiple occurences on EE alone of people putting policies on the wrong place and then configuring them properly and the old policy still has some not so friendly effects

Author

Commented:
Yes soemthing like that. The standard one.  After further discussion with the user, he started getting the message the last time he changed his password, so it started with 89 days...88.....87...etc.  I told him to reset his password and see if it goes away.

Commented:
You're probably right to have asked, I'm new to EE and I don't run into misconfigured networks that often. Whew ;-)

@ixoni, could you update us on the effective days before a notification is given? Use Group Policy Management Console to determine the effective password policy on a domain controller and on an affected client pc, if possible please.

The option is found in
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
and it's called
Interactive Logon: Prompt user to change password before expiration

This one could be dependent on the workstation GPO, I'm not sure.

Commented:
If it doesn't go away, you can use the script above to see how Windows calculates the time. It shows when the password was last set, the age of the password, the maximum age configured in the domain and how many days are left. Maybe it gives us a clue.

Author

Commented:
Yes, I did. The script returns all the correct information. Its just that the user is getting the password expiration messages starting at 90 days out instead of the standard 14.  I had him change his password again, but as soon as he rebooted he got the message...   your password expires in 89 days....
Commented:
Have you checked on the "Interactive Logon: Prompt user to change password before expiration" setting already? It's a computer policy that applies to the workstation.

See comment #1.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
Rant I think that is it. That policy was not set. I assumed (we all know what that means!) that was set in the GP since for the past two years everyone was getting the 14 days notice!  But it must be a local XP default, and somehow the users local policy got screwed. I will let you know as soon as I test it.

Thanks
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.