Bill H
asked on
Password reminders - Server 2008 R2
Hello, we have a server 2008 r2, we have a default password policy of 180 days, we want the users to get prompted at 30 days and then, we also want them to get followed up with again at say 14 days if they havent changed it. Is there a way to natively do this with windows group policy?
Scott Silva
The only reminder that works is when they try and log in and the system forces the change before they log in... Most users will just "put off" any other password changes...
ASKER
How does that reminder work? It will notify them at 30 days (per the Gpo settings), what happens every day after?
On the last day plus one they will try and log in and they will be prompted to change passwords... Most of my users seem to ignore the notifications.
ASKER
Ok, so just the day before and then day of it forces them? Is there any way to change that?
Do you know of any 3rd party tools which more control overs (say change their pw's at diff times)
Do you know of any 3rd party tools which more control overs (say change their pw's at diff times)
Not that I know of... If a user does follow the reminders, the clock starts again from when they change it... So it eventually starts to get spread out over time...
Minimum and maximum password age also affects this. But as far as I know, password policy is domain wide and is the same for all members.
Minimum and maximum password age also affects this. But as far as I know, password policy is domain wide and is the same for all members.
ASKER
Is there a 3rd party tool that will allow users to delay their password expiration?
No... once passwords expire a user cannot log in unless they are off network and use cached credentials...
Cobra25,
This is possible with a powershell script.
Check out this TechNet script entry, it's something similar to what we use: https://gallery.technet.mi
That should give you a pretty good idea on how to either create your own, or if you decide, tweak and make it work for your domain/needs.
Hope this helps,
Devin Becker
This is possible with a powershell script.
Check out this TechNet script entry, it's something similar to what we use: https://gallery.technet.mi
That should give you a pretty good idea on how to either create your own, or if you decide, tweak and make it work for your domain/needs.
Hope this helps,
Devin Becker
ASKER
Devin, i am not looking for a password reminder email.
Cobra25,
Sorry for my misunderstanding of your question. I thought you were looking for something to notify users of their individual passwords expiring, which we do through email.
As far as I know there is no other way of doing this natively/through GPO.
Hope you find your solution.
Sorry for my misunderstanding of your question. I thought you were looking for something to notify users of their individual passwords expiring, which we do through email.
As far as I know there is no other way of doing this natively/through GPO.
Hope you find your solution.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Since server 2008 there could be different password policies per OU it is not required to be set within the default domain policy.
The reminders appear every day after the reminder date every tine the user logs in/authenticates provided the application into which they login supports it.
So in your current 180 says with 30 remaking notification on the 150th day the user will be alerted that their password will expire in 30 days and offer the user an option to change the password at which point as was pointed out the count to expiry will start.
I do not believe Windows has a staggered notification option.
1st at 30, next at 14 remaining on a daily basis.
180 day password expiry is rather long usually, standard is between 45 and 90 days with reminders at 14 days.
The reminders appear every day after the reminder date every tine the user logs in/authenticates provided the application into which they login supports it.
So in your current 180 says with 30 remaking notification on the 150th day the user will be alerted that their password will expire in 30 days and offer the user an option to change the password at which point as was pointed out the count to expiry will start.
I do not believe Windows has a staggered notification option.
1st at 30, next at 14 remaining on a daily basis.
180 day password expiry is rather long usually, standard is between 45 and 90 days with reminders at 14 days.