# Server 2003: Password expiration?



## STAW (May 15, 2008)

Some of my users are getting a prompt to change their passwords at logon that they shouldn't be getting. I'm trying to figure out what's causing it. They shouldn't be getting prompted to change their passwords before they expire (that's disabled in group policy), but I think they might be anyways. Unfortunately, every time I find out about one of these, the user has already changed their password.

Therefore, I'm wondering if there's a way to check AD to see when the users _previous_ password would have expired, had it been allowed to. Any ideas?


----------



## StumpedTechy (Jul 7, 2004)

I can't think of anything that will allow you after the fact. Is there any way you can verify vrs ones set to expire and run the report daily and see who may get the prompt? Usually the prompt comes up 7 days before it will expire so you should have a few days to be able to track down people with this problem.


----------



## longshanks13 (Apr 21, 2009)

Hi Staw,

I'm not sure how to resolve your issue but you could try downloading AD Manager as its has some v.good AD tools & reports. There is a section on User Passwords and you can run all mater of reports:

- Password Expired Users
- Soon-to-expire User Passwords
- Password Changed Users
- Users With Change Password At Next Logon etc....

It might be of some help to you!

http://www.manageengine.com/products/ad-manager/download-free.html

Hope this helps.


----------



## STAW (May 15, 2008)

AD Manager doesn't look like it would suit my needs, especially the free version. My domain is much larger than 100 object.

As to the idea of running a nightly report, that would give me a heads up as to who was about to expire, but it wouldn't tell me whether or not they get the prompt or when they get it. The only way I could get that information would be to contact the users, who in this case are personnel that rarely use the network and are difficult to reach consistantly by phone. 

In my research thus far I haven't been able to find anything with remotely the functionality that I'm looking for. I'm currently looking into Powershell to see if it could tap into the AD objects for these users and reveal some properties I haven't seen yet.


----------



## Jbumpus (Mar 17, 2009)

Have you run RSOP.msc on the computers of the users that are getting prompted for the password change. That will show you what group policy and local settings are being applied to that machine and you can see if perhaps it's been set in the local security policy.


----------



## STAW (May 15, 2008)

The policy looks the same on everyone, as it's set at the domain level:
Interactive Logon: Prompt user (bla bla bla) password expiration is set to 0 days. I'm starting to think that the users just happen to be people who don't notice their password is going to expire (we have a system that sends e-mails when it's coming up) until they get that prompt on the day it expires. Unfortunately, the only way I can think to test it is to let my password expire. Which will be almost six months. Ugh.


----------



## StumpedTechy (Jul 7, 2004)

Wow 6 month+ expiration policy... Thats no short timeframe.


----------

