Set password expires warning to 7 days in Windows 2003 AD domain via group policy

Greetings ,

That's a setting in your AD . Let's open your MMC ( global or by OU .. depend of where you want to applicate it )

By default, Windows will notify users 14 days before their password expires. You can change the 14 day value and increase or decrease it, depending on your requirements. This can easily be accomplished by editing the appropriate GPO or the local computer policy. You can change the default value in Windows XP using the steps below:

I set the default domain policy that is linked to an OU to warn users 7 days before the password is going to expire.  It still warns at 14 days.

I changed this setting:

Click Start and click Run.
Type gpedit.msc and click OK.
Expand the following: Computer Configuration | Windows Settings | Local Policies | Security Options.
In the right pane, double click Interactive logon: Prompt user to change password before expiration.

Am I missing something here?  Is this the correct place to change it.  This is a Windows 2003 native domain.  Clients are XP and it occurs for all clients.
LVL 14
Who is Participating?
ChiefITConnect With a Mentor Commented:
This is a step-by-step on how to set up your password policy:

This article states to create your own policy and link it to the domain. If you do it this way, make sure your default domain policy doesn't have your password policy settings.

WARNING: I also recommend you create a second domain admin account for yourself. If you don't, you risk getting locked out on the default domain administrator logon. The reason you risk this is if that account is in use elsewhere, when you change your password, AD will get confused and lock out your administrator account.

After setting up your policy, you will  have to edit it to change your 14 day warning date to 7 days. To do this, go to your MMC console and edit the policy you just created.

NOTE: I am doing this by memory. So forgive me if this is wrong. It should be close.
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Prompt user to change password before expiration ((14 days by default))

A couple more recommendations for you:

1) One is to NOT allow your users to save passwords or credentials in Managed passwords. These are like cached passwords and can lock them out if this setting is configured.

2) The next option is to disable LMHash authentication. If you don't need LMHash to be backwards compatible to legacy machines you really should consider this. Let me provide you an article about LMHash authentication and let you decide this option: (note: disabling this will greatly enhance IT sec).

3) Consider a strong password policy with special charactors, numbers and capitals that is about 8 charactors long.

4) Also disable the "disable CTRL+Alt+Del upon logon" That GPO is in the same place as the 14 day policy:

Once done, this is the part I think you are having problems with:

Under active directory users and computers>>user accounts>>your user>>

If ""Password Never Expires" is elected, you can forget about ANY password policies. "Password Never Expires" overrides group policy for your password policies. Some like it when the administrator of the domain has this elected. That gives the administrator the ability to change passwords at his/her leisure.

I hope this helps.

Any questions please ask.

I think I read somewhere that this setting should be enabled in Default Domain Controllers policy. You may give it a try.
WadskiIT DirectorCommented:
That is the correct location. You did this on the AD not your local Group Policy right?

(Right Click on your domain is ADU&C and select Properties then choose Group policy tab.

Ensure that the policy has time to replication throughout your domain.
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

dmwynneAuthor Commented:
I did this on the domain.  
I changed the setting over a month ago so replication should not be an issue.  

That being said when I highlight my domain name in ADUC there is nothing in the Linked Group Policy Objects tab and Group Policy inheritance tab.  When looking at the same screen for the OU I can see the default domain policy linked.  The screens I am referring are essentially the same as what you refer to but I have the new group policy mgmt console installed.

Incidentily the default domain controllers group policy is set at 14 days for the warning.
WadskiIT DirectorCommented:
Sounds like an inheritance problem.  I would create a new test OU.  Stick yourself in it and a specfic policy just for this setting and enable it.

Check all the other policies that are inherited to ensure that nothing else overwrites it and see if it takes.

PS - a month is long enough to wait for replication! I was thinking you'd just done it!
dmwynneAuthor Commented:
The issue seems to be that since you can only have one password policy per domain it needs to be applied at the domain root level in order to take effect.  I created a new gpo at the root and changed the setting to warn at 7 days.  Ran gpupdate /target:computer /force on all the DC's and then restarted a laptop two times and the policy has applied and I am no longer getting the warning.

I found this post that was helpful:
Another thing is, you shouldn't link a default domain or default domain controller policy to anything.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.