Force a Windows 7 user to change password when it has expired

windows-7 passwords user-accounts expired-key

5,610

We still haven't figured out how to force the user to change their password.

Since the main problem is users ignoring the little "Your password will expire in..." and "Your password has expired" bubbles, we have a script run on login that checks if the password has expired and blocks the screen (with instructions on how to change the password) if it is.

This has dramatically reduced the number of calls we get regarding not being able to access emails or intranet.

5,610

Windos

I work as a Network Infrastructure Support Officer for a local governmental body in New Zealand. I currently have a Diploma in Information and Communication Technology and am studying part-time towards a Bachelor in Information Sciences. My main interest outside of IT is Airsoft which is like paintball without the paint.

Updated on September 17, 2022

Comments

Windos over 1 year

Is it possible to force users (on Windows 7 PCs) to change their password once it has expired?

Currently our users get notifications that their passwords will expire in 7, 3, 2 and 1 days but once the password has expired they are still able to log into their machines with the expired password.

Most of our users ignore the warnings and don't change their password until we tell them they have to (when they ring Help Desk asking why their email and intranet isn't working).

From memory, Windows XP machines would show a message at login that the password had expired and then offer the change password screen. Is it possible to do the same thing under Win7? Similar to how if you set a user's account to "must change password at next login" it gives the change password screen automatically.
- Zac Garrett over 13 years
  
  Are you running active directory? Its fairly easy to setup with AD.
- Windos over 13 years
  
  Yes, on Server 2008 R2
- Windos over 13 years
  
  Any advice on how? AD currently handles out user accounts, passwords, password expiry, access to systems. But the machines themselves still allow users to log in with an expired password (if they have logged into it prior to it expiring - like... when it is the user's day to day machine).
- Admin over 13 years
  
  If you don't mind my asking...what's the purpose of forcing them to change their passwords periodically? What scenario does this protect against?
- Windos over 13 years
  
  First and foremost, audit requirements. Second, and somewhat tied into the first point; it's a huge security hole if someone's password is leaked and if they are forced to be changed then a leaked password is only good for a max of 42 days. We're in a medium sized enterprise environment, fyi.
- Admin over 11 years
  
  "Hey look, a stolen password. Eh, I'll sit on it a couple of months before I use it. No rush."
- Oliver Salzburg almost 11 years
  
  @Kyralessa For authentication the username and a hashed version of the password are transmitted over the network. So someone could capture that information. Due to the hashing algorithm used, it is reasonable to assume that a valid input for the password hash can be computed within 90 days. So passwords need to be changed at regular intervals.
- Dawn Benton over 8 years
  
  For what it's worth (not much since it really doesn't help), I've never seen this behavior in an active directory environment. From 2000 AD all the way up to 2012 R2, and at least from Windows XP to Windows 10, an expired password has always forced changing password at next logon automatically. I checked Group Policy, and I can't even find a way to disable this behavior. This is literally the raison d'être for the "expiration" configuration -- to force the password to be changed periodically.
- Dawn Benton over 8 years
  
  The only thing I can think of, and this is real slim, maybe just quickly verify replication is working between multiple DCs. I suppose it could be possible that when the password expired, the force password change flag got set, but maybe didn't replicate to the DC that's authenticating the user? That's really the only thing I can think of and that's a slim guess.
user232105 over 12 years

Windos, Would you happen to have a copy of the script you used?
Windos over 12 years

@John, unfortuantly no. I wasn't the one to write it and the person who did is still on leave.
Windos almost 11 years

That's great if we're a small site and actively checking each user to see if their account has expired. Unfortunately we're a 500+ seat site and were needing a way of ensuring the OS/AD forced users to change their passwords at the appropriate time rather than just letting it expire but still be used despite the reduced network access it grants them.
Arnaud Nouard about 10 years

Run this Powershell command and you can force all your domain users in a OU to change password: Get-ADUser -Filter * -SearchBase “OU=IT,DC=corp,DC=top-password,DC=com” | Set-ADUser -ChangePasswordAtLogon:$true