1

We setup password Policies in Active Directory to Expire peoples passwords after so many days. Well it looks like the time has come for the Expiration of the Passwords and people are getting locked out...

There has been no warning of user passwords about to expire. They just come in to work and they cannot log in, the phones no longer connect, nothing. Reset the password and all is good.

Some of the users are locked out, though most are not, they just cannot log in.

On setting the password Expiration, I didn't see anything about nor warning the users of the impending expiration. Seems like it used to warn you 15 days or so before it would expire.

Clients range from: WinXP, WinVista, Win7 and Server 2008R2 Remote Desktop Services.

How can I make sure my users are warned of the Expiration?

Resultant Set of Policy for User that was not prompted: 

Account Policies/Password Policy 
  Policy                    Setting                      Winning GPO 
  Enforce password history  10 passwords remembered      Default Domain Policy 
  Maximum password age      270 days                     Default Domain Policy 
  Minimum password age      0 days                       Default Domain Policy 
  Minimum password length   4 characters                 Default Domain Policy 
  Password must meet complexity requirements Disabled    Default Domain Policy 
  Store passwords using reversible encryption Disabled   Default Domain Policy 

Account Policies/Account Lockout Policy
  Policy                              Setting                   Winning GPO 
  Account lockout duration            20 minutes                Default Domain Policy 
  Account lockout threshold           5 invalid logon attempts  Default Domain Policy 
  Reset account lockout counter after 15 minutes                Default Domain Policy 

Local Policies/Audit Policy
  Policy Setting Winning GPO 
  Audit account logon events           Failure             Default Domain Policy 
  Audit account management             Success, Failure    Default Domain Policy 
  Audit directory service access       Success, Failure    Default Domain Policy 
  Audit logon events                   Failure             Default Domain Policy 
  Audit policy change                  Success, Failure    Default Domain Policy 
  Audit privilege use                  Failure             Default Domain Policy 

Local Policies/Security Options
  Interactive Logon
    Policy             Setting                                                    Winning GPO 
    Interactive logon: Prompt user to change password before expiration 7 days    Default Domain Policy
scooter133
  • 171
  • 1
  • 1
  • 7
  • What client OS are you using? Like are you using Mac OSX or something? Or recent versions of Windows? – Zoredache Apr 18 '12 at 18:19
  • I edited the Question to add the Clients, but they are all Windows Clients. The few Mac's I'm not worried about. Clients range from: WinXP, WinVista, Win7 and Server 2008R2 Remote Desktop Services. – scooter133 Apr 18 '12 at 18:27
  • Are these users logging out at night? We had the same issues as the users were just locking there PC. – Zapto Aug 18 '12 at 08:34

2 Answers2

6

Did you set the policy for warning them of password expiration? Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Interactive logon: Prompt user to change password before expiration

Here set the number of days (default is 14) before users start getting warnings that their password will expire...

I hope this helps.

Glenn Sullivan
  • 1,368
  • 9
  • 17
  • Thank you, This is set to 7 Days. I changed it back to 14. So we have most all Mobile users (Laptops), they are usually only in the Office once a week. If they are only wired in once a week, they should still have the Policy set and still have the warning come up even if they are not physically connected to the network correct? Thanks! – scooter133 Apr 18 '12 at 19:18
  • I believe that the password expiration notice will only display on clients that are Vista and above while offline. XP and previous gave the user the choice "Would you like to change it now?" which does not work if they are not currently connected, so they only show the message when "online." With Vista and later, the "Password will expire in XX days" message is displayed, but the user has to ctrl-alt-delete to change the password, which will not work "offline." – Glenn Sullivan Apr 18 '12 at 19:26
  • I did a resultant Set Of Policy on the User that just complained of no warning. He's Windows 7. Reminder set at 7 Days. Brought his PC to Office, LAN Line Connected and could not log in. – scooter133 Apr 18 '12 at 19:36
0

If a large number of your employees are remote and never come to the office (or rarely come to the office) I'd recommend looking at DirectAccess. It's an automatic VPN connection that works in the background so that things like group policy updates, password changes, etc. can all happen when the users aren't connected at the office. Basically it automatically VPNs in as needed and gets the needed updates then disconnects.

mrdenny
  • 27,074
  • 4
  • 40
  • 68
  • We currently use CiscoAnyConnect. I'll have to look at DirectAccess. Though the people are typically in an Office once a week, maybe at the Most once every two weeks. – scooter133 Apr 18 '12 at 20:28