Solved

Domain Password Policy Not Prompting Windows 7 Clients to Change Password Before Expiry

Posted on 2010-09-22
8
7,375 Views
Last Modified: 2012-05-10
Hi,

We are a Windows Server 2008 domain and have a password policy set at domain level which was working fine until we upgraded the clients to Windows 7.  Now it no longer prompts the users to change their passwords before expiry - it simply expires, then tells them they need to change the password before they are able to login.

Our password policy is set as follows:
Min Length: 6 characters
Password Complexity is on
Maximum Age: 120 days
Minimum Age: 2 days
Password History: 2
Interactive Logon:Prompt User to Change Password Before Expiration: 14 days

When our clients were running Windows XP they were regularly prompted to change their passwords from 14 days before expiry & they could choose to ignore this prompt or set a new password at that point.  It would appear that the password policy itself is working as paswords are expiring, it's just the prompt which isn't working for users who logon to a Windows 7 machine.  I need this to work as our staff and students connect to our site from home & if their password expires without them realising, they will not be able to login remotely.

Does anyone have any ideas?
0
Comment
Question by:stbernards
  • 4
  • 2
  • 2
8 Comments
 
LVL 20

Expert Comment

by:Iain MacMillan
Comment Utility
have you connected to your DC with the Win 7 system with RSAT tools installed, to update the GP files for Win 7 systems, or have a 2008 DC server?

you may need to check that the policy you use, is applicable to Win 7 systems, and not just XP - do you have your Win 7 machine accounts in a separate OU, or are they in among the XP machine accounts?  You could always create a new password policy specifically for Win 7 systems.

you can also run the GPRESULT /H filename.html command (call it whatever file-name you want), to see what policies are being run on your Win 7 system.
0
 

Author Comment

by:stbernards
Comment Utility
Hi,

My domain controllers are both server 2008, but I tend to use RSAT tools on my Windows 7 client machine to do any group policy editing.  However, our password policy is the same one that was in place when our domain controllers were 2003 and the clients were xp - I haven't made any changes to the policy - do I need to?

Our Windows 7 machine accounts are in the same OU as the xp machines.  Are you suggesting that there are new policy settings when configuring a password policy for a windows 7 client machine?  If so what are they?

I have already run GPRESULT /H for my login on my machine & the default domain policy is applying & specifically, the password policies I described above are applying (or so it says!)

0
 
LVL 2

Accepted Solution

by:
mszal101 earned 500 total points
Comment Utility
If I remember correctly we had this same problem when we first started putting windows 7 machines on our network - the problem was that we were using the default setting on the default domain policy, however windows 7 requires it to be manually set in order to take effect.

The default is 14 days which we were happy with - but I had to manually set it in the RSAT under:

Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options

The option in question is "interactive logon: prompt user to change password before expiration"

0
 
LVL 20

Expert Comment

by:Iain MacMillan
Comment Utility
yes you need to specifically set it, as mszal101 says.  once you save it, you just need to run GPUPDATE to test it.

OU sorting is a personal preference thing, but given there are far more options to set in GPO for Win 7 and 2008 Server, you might want to keep the 7 machine accounts separate from the XP systems, until such time you have removed all XP presence.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:stbernards
Comment Utility
Hi,

I have just checked our setup again & the settings which MSZAL101 suggested configuring are already set that way in GPMC

ie. Computer config > Windows Settings > Security Settings > Local Policies > Security Options
"The Interactive Logon: prompt user to change password before expiration" is already set to 14 days - as I said I haven't changed anything & it has always worked up till now.

This is set in the Default Domain Policy.  Are you saying that I need to create a new OU for only Windows 7 machines & set the policy at that level instead?

I'm sorry to sound thick, but I don't understand why it has stopped working if it as the Domain level

Thanks for your help
0
 
LVL 2

Assisted Solution

by:mszal101
mszal101 earned 500 total points
Comment Utility
Is it set by default to 14 days or did you Hard Set it to 14 days?  There is a difference - For some reason windows 7 does not employ it unless it is set manually.
0
 

Author Comment

by:stbernards
Comment Utility
Brilliant - that worked, thanks.

I hard set my domain password policy to prompt at 14 days & now I am being prompted by the balloon in the system tray.  I assume this is the normal Windows 7 way now & actually it it better because it is easier to ignore if it is set to a longer time span.
0
 

Author Closing Comment

by:stbernards
Comment Utility
Thank you, this solution fixed my problem.  It was the hard setting that did the trick - obviously another Microsoft bug!
0

Featured Post

Too many email signature changes to deal with?

Are you constantly being asked to update your organization's email signatures? Do they take up too much of your time? Wouldn't you love to be able to manage all signatures from one central location, easily design them and deploy them quickly to users. Well, you can!

Join & Write a Comment

OfficeMate Freezes on login or does not load after login credentials are input.
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
This Micro Tutorial will give you basic overview of the control panel section on Windows 7. It will depth in Network and Internet, Hardware and Sound, etc. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now