Home arrow Articles arrow HOW-TO: Change the value that Windows uses to prompt about password expiration
HOW-TO: Change the value that Windows uses to prompt about password expiration Print E-mail


It is often asked how to change the value of the prompt that a user that logs on interactively receives when their password is nearing expiration, as there are no apparent options along with the other (domain-wide) password options.

This article explains this value and how to change it.


When a user changes his/ her password, the attribute pwdLastSet is time stamped with the current date. When a user logs on to a computer with a domain account, the domain controller compares the value of pwdLastSet with the maximum password age defined for the domain. If the timestamp is older than the maximum password age the password has, obviously, expired and as such the user must change his/ her password. Windows clients however, notify the interactive user that the password is nearing expiration at logon, after entering your credentials. This gives the user the chance to change their password before it expires.

Note. When a password expires the user must change it when he/ she attempts to logon to a domain member interactively. However, if the user is trying to access a network resource and the password has expired, the user will not be able to access this resource and will not be given a chance to change passwords - they will simply receive an access denied message.


By default, users are notified that their password is about to expire 14 days before this happens. This option is configurable via Group Policy Object (GPO), but is located in a different section of the security policy to the domain-wide policy settings. The reason for this is that the option to change this behaviour is a computer setting, and can be applied at any level of the hierarchy as it is the computer that initiates this and not the domain controller.


Changing this value

The GPO option to configure this setting is:
Interactive Logon: Prompt user to change password before expiration


This can be found under:
\Computer Configuration\ Windows Settings\ Security Settings\ Local Policies\ Security Options\


Document information

Author: Paul Williams
Date: 17-09-2005
Version: 2.0
Last updated: 27-07-2007
Last updated by: Paul Williams



Del.icio.us!Technorati!StumbleUpon!Furl!
 
< Prev   Next >