AD User Passwords expiring without any notifications?

Posted by scooter133 on Server Fault See other posts from Server Fault or by scooter133
Published on 2012-04-18T18:15:06Z Indexed on 2013/06/24 16:25 UTC
Read the original article Hit count: 384

We setup password Policies in Active Directory to Expire peoples passwords after so many days. Well it looks like the time has come for the Expiration of the Passwords and people are getting locked out...

There has been no warning of user passwords about to expire. They just come in to work and they cannot log in, the phones no longer connect, nothing. Reset the password and all is good.

Some of the users are locked out, though most are not, they just cannot log in.

On setting the password Expiration, I didn't see anything about nor warning the users of the impending expiration. Seems like it used to warn you 15 days or so before it would expire.

Clients range from: WinXP, WinVista, Win7 and Server 2008R2 Remote Desktop Services.

How can I make sure my users are warned of the Expiration?

Resultant Set of Policy for User that was not prompted:

Account Policies/Password Policy 
  Policy                    Setting                      Winning GPO 
  Enforce password history  10 passwords remembered      Default Domain Policy 
  Maximum password age      270 days                     Default Domain Policy 
  Minimum password age      0 days                       Default Domain Policy 
  Minimum password length   4 characters                 Default Domain Policy 
  Password must meet complexity requirements Disabled    Default Domain Policy 
  Store passwords using reversible encryption Disabled   Default Domain Policy 

Account Policies/Account Lockout Policy
  Policy                              Setting                   Winning GPO 
  Account lockout duration            20 minutes                Default Domain Policy 
  Account lockout threshold           5 invalid logon attempts  Default Domain Policy 
  Reset account lockout counter after 15 minutes                Default Domain Policy 

Local Policies/Audit Policy
  Policy Setting Winning GPO 
  Audit account logon events           Failure             Default Domain Policy 
  Audit account management             Success, Failure    Default Domain Policy 
  Audit directory service access       Success, Failure    Default Domain Policy 
  Audit logon events                   Failure             Default Domain Policy 
  Audit policy change                  Success, Failure    Default Domain Policy 
  Audit privilege use                  Failure             Default Domain Policy 

Local Policies/Security Options
  Interactive Logon
    Policy             Setting                                                    Winning GPO 
    Interactive logon: Prompt user to change password before expiration 7 days    Default Domain Policy 

© Server Fault or respective owner

Related posts about active-directory

Related posts about windows-server-2008-r2