Link to home
Create AccountLog in
Avatar of shanna1017
shanna1017

asked on

Users are not getting prompted to change their passwords before they expire

I found this on the internet which described my problem to a T

"I've noticed on Windows XP workstations that the password about to expire warning does not appear when the user logs on. This has been an annoyance for quite a while that I have not
got to the bottom of.

I've checked the "Interactive logon: Prompt user to change password before
expiration" using RSOP, GPMC and gpedit.msc and all these tools tell me that
this setting is 14 days.

This seems to happen on XP computers that are left powered on (but logged
off or locked) when not in use (e.g. nights and weekends) and where only one (domain)
user account is normally used to logon.


Another thing I've noticed is that if the same user account is used to logon to a
Terminal Services session (or RDP to another computer), they do get the
"password about to expire" message, although they didn't get it when logging
on their XP workstation. If the user does not change the password, logs off
the TS or RDP session, logs of at their workstation, then logs on at the
workstation again, they still don't get the warning (even if the workstation
is restarted)."



any ideas what the problem could be?
Avatar of apache09
apache09
Flag of New Zealand image

Not sure if this makes a difference but:
Do the workstations have messaging service started on them?
Can you double check

Click Start and click Run.
Type gpedit.msc and click OK.
Expand the following: Computer Configuration | Windows Settings | Local Policies | Security Options.
In the right pane, double click Interactive logon: Prompt user to change password before expiration.
Configure the value you want to use, click Apply, and click OK.
Close the Group Policy Editor.

Avatar of ctharp
ctharp

I think you have your answer pretty much in your question. If users are not logging off and just locking their screen, the user is just unlocking their current logged in session. I believe the expired password group policy runs upon a session log in. Since you are not logging and loading group policies when unlocking the screen, the user will not be prompted to change the password. You may need to look into forcing log off after inactivity or properly training the user.
http://support.microsoft.com/kb/Q314999
Avatar of shanna1017

ASKER

thanks for the replies...

ryansoto, i have already double checked that and it is set properly.

apache09, that's an interesting thought.  messenger is disabled on almost all workstations though it is running on the one machine that I (in particular) have noticed that I get prompted when I RDP into.  the only difference between that machine and all the others is it's still on SP1.  

does messenger have to be running to get that prompt?
ctharp, i agree with you and originally that's what i thought it was.  but that doesn't explain this

Another thing I've noticed is that if the same user account is used to logon to a
Terminal Services session (or RDP to another computer), they do get the
"password about to expire" message, although they didn't get it when logging
on their XP workstation. If the user does not change the password, logs off
the TS or RDP session, logs of at their workstation, then logs on at the
workstation again, they still don't get the warning (even if the workstation
is restarted)."
So its just this one wrkstation having issues and its on SP1?
no, that workstation is just one i happened to notice does prompt me but i only log into it via RDP.

Under Active directory Users and computers, do you have that client's password set to never expire?
nope...as i mentioned, people will get prompted if they log in via RDP.  

it's odd.
Just a thought:

Saving Domain credentials locally is something that administrators can do so that clients can log in without an active directory DC to authenticate with and still have access to files and services that require domain credentials, like some mail profiles. If you have those credentials in the list of Users for the local comptuer It may have a setting in there that says password never expires. Though you are logging into the domain, this setting could prevent the 14 day flag from appearing. However, RDP uses AD credentials from the DC to authenticate to the computer. So, you will be prompted with a flag.

In a way, this is like a set of cached usernames and passwords on the local PC. I could see these comflicting with AD authentication, much like cached passwords do.

If you go, on the client computer, to:

Control Pannel>>Users>>Select the User>>Advance button>>Select Users

and select the user that is having problems on this PC. Can you see, "password never expires" on that set of local credentials.
thanks for the reply chief...i'm one of the people not getting prompted and when i check the users on my local computer, i'm not even listed so i don't think that is the issue.  

is it possible that the messenger service has to be running to get prompted?
The last thougth I have is cached usrename and passwords. But, those would expire when the password needed to be changed and they would error our with a access denied. So, I don't believe this is your problem.
ASKER CERTIFIED SOLUTION
Avatar of shanna1017
shanna1017

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account