2

Is it possible to force users (on Windows 7 PCs) to change their password once it has expired?

Currently our users get notifications that their passwords will expire in 7, 3, 2 and 1 days but once the password has expired they are still able to log into their machines with the expired password.

Most of our users ignore the warnings and don't change their password until we tell them they have to (when they ring Help Desk asking why their email and intranet isn't working).

From memory, Windows XP machines would show a message at login that the password had expired and then offer the change password screen. Is it possible to do the same thing under Win7? Similar to how if you set a user's account to "must change password at next login" it gives the change password screen automatically.

Improve this question
9
  • Are you running active directory? Its fairly easy to setup with AD.
    – Zac Garrett
    Commented Oct 19, 2010 at 1:24
  • Yes, on Server 2008 R2
    – Windos
    Commented Oct 19, 2010 at 1:35
  • Any advice on how? AD currently handles out user accounts, passwords, password expiry, access to systems. But the machines themselves still allow users to log in with an expired password (if they have logged into it prior to it expiring - like... when it is the user's day to day machine).
    – Windos
    Commented Nov 1, 2010 at 20:58
  • If you don't mind my asking...what's the purpose of forcing them to change their passwords periodically? What scenario does this protect against?
    – user9528
    Commented Jan 12, 2011 at 3:54
  • First and foremost, audit requirements. Second, and somewhat tied into the first point; it's a huge security hole if someone's password is leaked and if they are forced to be changed then a leaked password is only good for a max of 42 days. We're in a medium sized enterprise environment, fyi.
    – Windos
    Commented Jan 12, 2011 at 3:57

2 Answers 2

Reset to default
2

We still haven't figured out how to force the user to change their password.

Since the main problem is users ignoring the little "Your password will expire in..." and "Your password has expired" bubbles, we have a script run on login that checks if the password has expired and blocks the screen (with instructions on how to change the password) if it is.

This has dramatically reduced the number of calls we get regarding not being able to access emails or intranet.

Improve this answer
2
  • Windos, Would you happen to have a copy of the script you used?
    – user111134
    Commented Dec 27, 2011 at 19:22
  • @John, unfortuantly no. I wasn't the one to write it and the person who did is still on leave.
    – Windos
    Commented Jan 9, 2012 at 3:36
-1

Try this method:

  1. Right-click on the desired user account from Active Directory Users and Computers.
  2. In the account's Properties window, switch to the Account tab.
  3. Tick the option "User must change password at next logon" and uncheck the option "Password never expires".
Improve this answer
2
  • That's great if we're a small site and actively checking each user to see if their account has expired. Unfortunately we're a 500+ seat site and were needing a way of ensuring the OS/AD forced users to change their passwords at the appropriate time rather than just letting it expire but still be used despite the reduced network access it grants them.
    – Windos
    Commented Jul 26, 2013 at 7:35
  • Run this Powershell command and you can force all your domain users in a OU to change password: Get-ADUser -Filter * -SearchBase “OU=IT,DC=corp,DC=top-password,DC=com” | Set-ADUser -ChangePasswordAtLogon:$true
    – Arnaud Nouard
    Commented Apr 4, 2014 at 6:58

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .