windows 7 \ 2008 R2 DC password prompt

Our users are recently loosing connections to resources.
We have diagnosed this to an expired password.

Under windows 7 the users are A: either not being prompted at all, or B: they are clicking cancel and the expiration comes and goes, then they loose access.
I had 3 on Friday, and 4 so far today (Tuesday)

WE have adjusted the GPO
Computer configuration \ policies \ windows settings \ security settings \ local policies \ security options \ Interactive Logon: Prompt user to change password before expiration to 8 days (Default is 14)

The only way we can fix this is to have the user log out, and log back in, it then prompts them for the change. OR have the press "crtl alt delete" \ Change password....

Is there any way to:
1. make this come up every single day, counting down to expiration?
2. prompt the user when it actually is expired?

There is another gpo: Interactive Logon: "require domain controller authentication to unlock workstation" but would that apply to say a print server or file server type resources?

Symptoms:
user cant print
user cant access mapped network drives

current bandaid:
log out, log in, reset password

Domain functional level is currently 2003
LVL 3
wlacroixAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Brad GrouxSenior Manager (Wintel Engineering)Commented:
The reminder/notification "bubble" is about the only way to remind users to change their password when they are already logged in.

Many IT departments automated a process to send out password expiration reminder emails, with instructions about how to change it.

Example:
Your password is set to expire in 7 days. In order to not lose access to network resources please press CTRL+ALT+DEL, then select "Change Password" as soon as possible.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Joshua GrantomSenior Systems AdministratorCommented:
the problem is that windows 7 prompting for a password change is a little reminder bubble in the system icon try.

There is a really good script on Spiceworks that you can configure and run through group policy to be a logon script or a scheduled task that will actually prompt them and alert them to change based on the settings you provide


http://community.spiceworks.com/scripts/show/1594-password-expiration-pop-up-for-windows-7
0
wlacroixAuthor Commented:
Wow, we figured this was a change in windows 7, and that script looks dandy.

No GPO options?
what about forcing the bubble to stay up till it is acknowledged?

is there a GPO for
http://blogs.technet.com/b/lystavlen/archive/2012/05/07/how-to-change-the-duration-of-the-password-expiration-notification.aspx

OR I can build a GPO that sets this registry setting:
Browse to the registry key "HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify"
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Joshua GrantomSenior Systems AdministratorCommented:
As far as I can tell from my GP experience, there's no way to force the notification stay up. The script or email Notification will be your best options.
0
wlacroixAuthor Commented:
Ok this is making me crazy, the users are missing the tool tip because it only stays up for 2 seconds.

How can I make the balloon tip stay open for 30 seconds? I can change the registry key but I don't want to physically touch 180 machines.

The other option is a script.
What are big domains doing, with 700+ machines?
0
Joshua GrantomSenior Systems AdministratorCommented:
we have password reminders setup to email users starting 14 days out. we also have password self-service so if they lock themselves out, they can reset and unlock their own accounts.

If you can change the registry key, you can actually create a group policy preference to push out the registry key change.

http://technet.microsoft.com/en-us/library/cc753092.aspx
0
Brad GrouxSenior Manager (Wintel Engineering)Commented:
You can change the registry key via Group Policy Preferences, no need to touch all machines.
0
Joshua GrantomSenior Systems AdministratorCommented:
Brad,

see post above.
0
wlacroixAuthor Commented:
So I have created the registry setting inside group policy management, but I cant get it to push to a workstation\terminal server.

\computer configuration \ preferences \ windows settings \ registry.
Inside here I have a "balloontip" Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify
REG_DWORD set to 30, as a decimal. 0000001E
This is applied to the hkey_current_user (HKU\.default) hive

I have the said test server inside the OU that the GPO is applied to.

This is set as action "update"

Any tips?
0
Joshua GrantomSenior Systems AdministratorCommented:
hkey_current_user registry must be applied to User Configuration group policies.

What you can do is use item level targeting to make it only apply when they logon to a computer that is in a certain group
0
wlacroixAuthor Commented:
Josh,

Yes I have my GPO applied to an OU specifically for testing, then it will get applied to the default domain policy.
0
Joshua GrantomSenior Systems AdministratorCommented:
No, what I am saying is you have to do the policy preference under user configuration not computer configuration. HKEY current user is user specific not computers specific.
0
wlacroixAuthor Commented:
Its a tad confusing, but only the first time.

so I am using hkey_current_users and applying the keypath to the same

what is the action "create" "replace" or "update"???
0
Joshua GrantomSenior Systems AdministratorCommented:
Update would be best. Under security filtering you've have to apply it to a user OU not a computer OU.

For instance, adding domain users to security filtering and creating a new OU with your user account in it and applying the policy to that OU.
0
wlacroixAuthor Commented:
we have decided to abandon this idea at this time, there has to be a simpler way.
Thank you for all your help.
0
wlacroixAuthor Commented:
After several hours of exploration, the best option is to have a piece of software do a check against AD and then send out reminder emails.
Part of our issue is we have to check 6 domains daily.
0
Jb itmgrCommented:
How do you automate a process to send out password expiration reminder email messages?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.