In a windows 2003 domain, is it possible to either:
-force users to change their password 2 days before it actually expires?
or if not:
-manipulate the logon message "your password will expire in xx days" to say "your password will expire in xx -2 days" in stead? So that when somebody logs on and gets the message "your password will expire in 2 days", is it possible to substract 2 days in group policy so that it actually says "your password will expire today"?
I know it's an odd question, but here's the background:
Most users leave changing their password to the last day.
This is not such a problem, except that in this situation, it seems that all these users don't get authenticated properly anymore against our internal servers after they changed their password and log on. They will get a logon prompt for intranet or internet, or their roaming profiles don't load at all, even if their account is not locked out. These problems don't seem to happen if users change their password a few days ahead of the deadline.
For one particular user it was so bad, that each time this person left the password change to the last day, his roaming profile refused to load the day after he changed it. Nothing would help (including restoring profile from backup), so we ended up giving him a local profile. If this person would change his password BEFORE the last day, everything would continue fine.
All the evidence is pointing at some sort of synch issue between the DCs, the ISA and our webservers, but there are absolutely no synch issues for people who change their password a few days ahead. Also, if people change their password on the last day, then get the authentication issue, the one resolution that always works is getting them to change their password using CTRL-ALT-DEL while they are still logged on, and everything starts working again.
Any suggestions to fix this last-day-password-change-authentication-problem issue are welcome of course, but otherwise I'm curious to see if it is possible to fake the message advising how many days are left until the password expires, just to get more users to change it before the last day.