Background:
In our environment, users log onto a Windows 7 PC and then launch a full-screen Citrix XenApp (same as Microsoft RDSH) desktop. Citrix Reciever with single-sign on is used to launch the XenApp desktop. All work is done within the XenApp desktop. The XenApp servers are not necessarily in the same AD site as the Windows 7 machines.
We enforce password expiry every 30 days. Windows 7 and above prompt the user to reset their password via a balloon message in the notification area. This causes us two problems as detailed below:
Problems
1) Users change their password on their Windows 7 machine whilst already logged into Citrix XenApp, for example by pressing C+A+D. The XenApp desktop session is still authenticated using their old password. They then get problems within XenApp as obviously they cannot authenticate with IIS servers, SQL Servers etc.
2) Users change their password within their XenApp session. This means that their Windows 7 machine is still authenticated using their old password. They can fix this by locking the screen and unlocking it with their new password, however unfortunately this breaks the Single Sign On process of the Citrix client, so if they need to relaunch Citrix XenApp for any reason they cannot, unless they log off Windows 7 and then back on (this guy has the same problem http://discussions.citrix.com/topic/333487-published-desktop-with-receiver-password-changing/).
The crux of the problem is that users are able to change their password once the shell has already loaded. We did not have this problem when the end-user machines ran Windows XP. I think this was because Windows XP prompted the user to change password immediately after logon, before explorer.exe launched.
Question(s):
- Can we configure Windows 7 to prompt the user to change their password prior to the shell loading?
- If not, is there a third-party piece of software that can help us with this? Presumably any organisation that uses Windows 7 and above and also a RDSH/Citrix desktop will have a similar problem.