Force a Windows 7 user to change password when it has expired

Question

Is it possible to force users (on Windows 7 PCs) to change their password once it has expired?

Currently our users get notifications that their passwords will expire in 7, 3, 2 and 1 days but once the password has expired they are still able to log into their machines with the expired password.

Most of our users ignore the warnings and don't change their password until we tell them they have to (when they ring Help Desk asking why their email and intranet isn't working).

From memory, Windows XP machines would show a message at login that the password had expired and then offer the change password screen. Is it possible to do the same thing under Win7? Similar to how if you set a user's account to "must change password at next login" it gives the change password screen automatically.

Are you running active directory? Its fairly easy to setup with AD. — Zac Garrett, Oct 19 '10 at 01:24
Any advice on how? AD currently handles out user accounts, passwords, password expiry, access to systems. But the machines themselves still allow users to log in with an expired password (if they have logged into it prior to it expiring - like... when it is the user's day to day machine). — Windos, Nov 01 '10 at 20:58
If you don't mind my asking...what's the purpose of forcing them to change their passwords periodically? What scenario does this protect against? — , Jan 12 '11 at 03:54
First and foremost, audit requirements. Second, and somewhat tied into the first point; it's a huge security hole if someone's password is leaked and if they are forced to be changed then a leaked password is only good for a max of 42 days. We're in a medium sized enterprise environment, fyi. — Windos, Jan 12 '11 at 03:57
"Hey look, a stolen password. Eh, I'll sit on it a couple of months before I use it. No rush." — , Aug 21 '12 at 20:52
@Kyralessa For authentication the username and a hashed version of the password are transmitted over the network. So someone could capture that information. Due to the hashing algorithm used, it is reasonable to assume that a valid input for the password hash can be computed within 90 days. So passwords need to be changed at regular intervals. — Oliver Salzburg, Jul 21 '13 at 10:09
For what it's worth (not much since it really doesn't help), I've never seen this behavior in an active directory environment. From 2000 AD all the way up to 2012 R2, and at least from Windows XP to Windows 10, an expired password has always forced changing password at next logon automatically. I checked Group Policy, and I can't even find a way to disable this behavior. This is literally the raison d'être for the "expiration" configuration -- to force the password to be changed periodically. — Dawn Benton, Oct 28 '15 at 00:55
The only thing I can think of, and this is real slim, maybe just quickly verify replication is working between multiple DCs. I suppose it could be possible that when the password expired, the force password change flag got set, but maybe didn't replicate to the DC that's authenticating the user? That's really the only thing I can think of and that's a slim guess. — Dawn Benton, Oct 28 '15 at 01:01

score 2 · Accepted Answer · answered Jan 12 '11 at 03:44

2

We still haven't figured out how to force the user to change their password.

Since the main problem is users ignoring the little "Your password will expire in..." and "Your password has expired" bubbles, we have a script run on login that checks if the password has expired and blocks the screen (with instructions on how to change the password) if it is.

This has dramatically reduced the number of calls we get regarding not being able to access emails or intranet.

answered Jan 12 '11 at 03:44

Windos

11,061
4
38
56

Windos, Would you happen to have a copy of the script you used? – Dec 27 '11 at 19:22
@John, unfortuantly no. I wasn't the one to write it and the person who did is still on leave. – Windos Jan 09 '12 at 03:36

score -1 · Answer 2 · answered Jul 21 '13 at 09:44

-1

Try this method:

Right-click on the desired user account from Active Directory Users and Computers.
In the account's Properties window, switch to the Account tab.
Tick the option "User must change password at next logon" and uncheck the option "Password never expires".

answered Jul 21 '13 at 09:44

Arnaud Nouard

41
1

That's great if we're a small site and actively checking each user to see if their account has expired. Unfortunately we're a 500+ seat site and were needing a way of ensuring the OS/AD forced users to change their passwords at the appropriate time rather than just letting it expire but still be used despite the reduced network access it grants them. – Windos Jul 26 '13 at 07:35
Run this Powershell command and you can force all your domain users in a OU to change password: Get-ADUser -Filter * -SearchBase “OU=IT,DC=corp,DC=top-password,DC=com” | Set-ADUser -ChangePasswordAtLogon:$true – Arnaud Nouard Apr 04 '14 at 06:58

Force a Windows 7 user to change password when it has expired

2 Answers2