Force password change 2 days before it expires?

DorisOnline
DorisOnline used Ask the Experts™
on
In a windows 2003 domain, is it possible to either:
-force users to change their password 2 days before it actually expires?
or if not:
-manipulate the logon message "your password will expire in xx days" to say "your password will expire in xx -2 days" in stead? So that when somebody logs on and gets the message "your password will expire in 2 days", is it possible to substract 2 days in group policy so that it actually says "your password will expire today"?

I know it's an odd question, but here's the background:
Most users leave changing their password to the last day.
This is not such a problem, except that in this situation, it seems that all these users don't get authenticated properly anymore against our internal servers after they changed their password and log on. They will get a logon prompt for intranet or internet, or their roaming profiles don't load at all, even if their account is not locked out. These problems don't seem to happen if users change their password a few days ahead of the deadline.
For one particular user it was so bad, that each time this person left the password change to the last day, his roaming profile refused to load the day after he changed it. Nothing would help (including restoring profile from backup), so we ended up giving him a local profile. If this person would change his password BEFORE the last day, everything would continue fine.

All the evidence is pointing at some sort of synch issue between the DCs, the ISA and our webservers, but there are absolutely no synch issues for people who change their password a few days ahead. Also, if people change their password on the last day, then get the authentication issue, the one resolution that always works is getting them to change their password using CTRL-ALT-DEL while they are still logged on, and everything starts working again.

Any suggestions to fix this last-day-password-change-authentication-problem issue are welcome of course, but otherwise I'm curious to see if it is possible to fake the message advising how many days are left until the password expires, just to get more users to change it before the last day.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Brian PiercePhotographer
Awarded 2007
Top Expert 2008

Commented:
Windows does not provide such options, once a password expires users have a number of "grace logons" (6 by default) and they are warned ona all six occasions that they should chnage their password, only if they do not chnage the password within the grace period is authentication refused.
I believe you can only change the number of days being prompted, not manipulate the dialog to produce something else.

You maybe able to write a login script that pulls their expiration date and prompt the user that way instead.  This would mean shutting down the domain prompt (or setting it to prompt for 5 days) and have script start prompting them to change their password 19 days ahead (instead of 14).

Here's microsoft's answer for the script.

http://support.microsoft.com/kb/323750

Author

Commented:
I see how that could work, and thanks for the link, I tried it and it returns the right values for the password expiration. So it shouldn't be too difficult to create a logon script that prompts for a password change a few days ahead of the real date.
Thanks for the quick reply

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial