Set password expires warning to 7 days in Windows 2003 AD domain via group policy

Greetings ,

That's a setting in your AD . Let's open your MMC ( global or by OU .. depend of where you want to applicate it )

By default, Windows will notify users 14 days before their password expires. You can change the 14 day value and increase or decrease it, depending on your requirements. This can easily be accomplished by editing the appropriate GPO or the local computer policy. You can change the default value in Windows XP using the steps below:

I set the default domain policy that is linked to an OU to warn users 7 days before the password is going to expire.  It still warns at 14 days.

I changed this setting:

Click Start and click Run.
Type gpedit.msc and click OK.
Expand the following: Computer Configuration | Windows Settings | Local Policies | Security Options.
In the right pane, double click Interactive logon: Prompt user to change password before expiration.

Am I missing something here?  Is this the correct place to change it.  This is a Windows 2003 native domain.  Clients are XP and it occurs for all clients.
LVL 14
dmwynneAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sputnik_itCommented:
I think I read somewhere that this setting should be enabled in Default Domain Controllers policy. You may give it a try.
0
WadskiIT DirectorCommented:
That is the correct location. You did this on the AD not your local Group Policy right?

(Right Click on your domain is ADU&C and select Properties then choose Group policy tab.

Ensure that the policy has time to replication throughout your domain.
0
dmwynneAuthor Commented:
I did this on the domain.  
I changed the setting over a month ago so replication should not be an issue.  

That being said when I highlight my domain name in ADUC there is nothing in the Linked Group Policy Objects tab and Group Policy inheritance tab.  When looking at the same screen for the OU I can see the default domain policy linked.  The screens I am referring are essentially the same as what you refer to but I have the new group policy mgmt console installed.

Incidentily the default domain controllers group policy is set at 14 days for the warning.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

WadskiIT DirectorCommented:
Sounds like an inheritance problem.  I would create a new test OU.  Stick yourself in it and a specfic policy just for this setting and enable it.

Check all the other policies that are inherited to ensure that nothing else overwrites it and see if it takes.

PS - a month is long enough to wait for replication! I was thinking you'd just done it!
0
dmwynneAuthor Commented:
The issue seems to be that since you can only have one password policy per domain it needs to be applied at the domain root level in order to take effect.  I created a new gpo at the root and changed the setting to warn at 7 days.  Ran gpupdate /target:computer /force on all the DC's and then restarted a laptop two times and the policy has applied and I am no longer getting the warning.

I found this post that was helpful:

http://www.experts-exchange.com/Microsoft/Applications/Q_22925833.html
0
ChiefITCommented:
This is a step-by-step on how to set up your password policy:
http://technet.microsoft.com/en-us/library/cc875814.aspx

This article states to create your own policy and link it to the domain. If you do it this way, make sure your default domain policy doesn't have your password policy settings.

WARNING: I also recommend you create a second domain admin account for yourself. If you don't, you risk getting locked out on the default domain administrator logon. The reason you risk this is if that account is in use elsewhere, when you change your password, AD will get confused and lock out your administrator account.

After setting up your policy, you will  have to edit it to change your 14 day warning date to 7 days. To do this, go to your MMC console and edit the policy you just created.

NOTE: I am doing this by memory. So forgive me if this is wrong. It should be close.
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Prompt user to change password before expiration ((14 days by default))

A couple more recommendations for you:

1) One is to NOT allow your users to save passwords or credentials in Managed passwords. These are like cached passwords and can lock them out if this setting is configured.

2) The next option is to disable LMHash authentication. If you don't need LMHash to be backwards compatible to legacy machines you really should consider this. Let me provide you an article about LMHash authentication and let you decide this option: (note: disabling this will greatly enhance IT sec).
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_2003_Active_Directory/Q_23132123.html

3) Consider a strong password policy with special charactors, numbers and capitals that is about 8 charactors long.

4) Also disable the "disable CTRL+Alt+Del upon logon" That GPO is in the same place as the 14 day policy:

________________________________________
Once done, this is the part I think you are having problems with:

Under active directory users and computers>>user accounts>>your user>>

If ""Password Never Expires" is elected, you can forget about ANY password policies. "Password Never Expires" overrides group policy for your password policies. Some like it when the administrator of the domain has this elected. That gives the administrator the ability to change passwords at his/her leisure.

I hope this helps.

Any questions please ask.

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ChiefITCommented:
Another thing is, you shouldn't link a default domain or default domain controller policy to anything.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.