DorisOnline
asked on
Force password change 2 days before it expires?
In a windows 2003 domain, is it possible to either:
-force users to change their password 2 days before it actually expires?
or if not:
-manipulate the logon message "your password will expire in xx days" to say "your password will expire in xx -2 days" in stead? So that when somebody logs on and gets the message "your password will expire in 2 days", is it possible to substract 2 days in group policy so that it actually says "your password will expire today"?
I know it's an odd question, but here's the background:
Most users leave changing their password to the last day.
This is not such a problem, except that in this situation, it seems that all these users don't get authenticated properly anymore against our internal servers after they changed their password and log on. They will get a logon prompt for intranet or internet, or their roaming profiles don't load at all, even if their account is not locked out. These problems don't seem to happen if users change their password a few days ahead of the deadline.
For one particular user it was so bad, that each time this person left the password change to the last day, his roaming profile refused to load the day after he changed it. Nothing would help (including restoring profile from backup), so we ended up giving him a local profile. If this person would change his password BEFORE the last day, everything would continue fine.
All the evidence is pointing at some sort of synch issue between the DCs, the ISA and our webservers, but there are absolutely no synch issues for people who change their password a few days ahead. Also, if people change their password on the last day, then get the authentication issue, the one resolution that always works is getting them to change their password using CTRL-ALT-DEL while they are still logged on, and everything starts working again.
Any suggestions to fix this last-day-password-change-a
-force users to change their password 2 days before it actually expires?
or if not:
-manipulate the logon message "your password will expire in xx days" to say "your password will expire in xx -2 days" in stead? So that when somebody logs on and gets the message "your password will expire in 2 days", is it possible to substract 2 days in group policy so that it actually says "your password will expire today"?
I know it's an odd question, but here's the background:
Most users leave changing their password to the last day.
This is not such a problem, except that in this situation, it seems that all these users don't get authenticated properly anymore against our internal servers after they changed their password and log on. They will get a logon prompt for intranet or internet, or their roaming profiles don't load at all, even if their account is not locked out. These problems don't seem to happen if users change their password a few days ahead of the deadline.
For one particular user it was so bad, that each time this person left the password change to the last day, his roaming profile refused to load the day after he changed it. Nothing would help (including restoring profile from backup), so we ended up giving him a local profile. If this person would change his password BEFORE the last day, everything would continue fine.
All the evidence is pointing at some sort of synch issue between the DCs, the ISA and our webservers, but there are absolutely no synch issues for people who change their password a few days ahead. Also, if people change their password on the last day, then get the authentication issue, the one resolution that always works is getting them to change their password using CTRL-ALT-DEL while they are still logged on, and everything starts working again.
Any suggestions to fix this last-day-password-change-a
Brian Pierce
Windows does not provide such options, once a password expires users have a number of "grace logons" (6 by default) and they are warned ona all six occasions that they should chnage their password, only if they do not chnage the password within the grace period is authentication refused.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I see how that could work, and thanks for the link, I tried it and it returns the right values for the password expiration. So it shouldn't be too difficult to create a logon script that prompts for a password change a few days ahead of the real date.
Thanks for the quick reply
Thanks for the quick reply