‘Consider’ changing your password?!

Many organisation use Group Policies to control the number of days a user is warned regarding a pending password change.  Now this may be once a year or once a month depending upon your security policies.  Windows XP prompted the user with a lovely little popup message that they were abliged to acknowledge upon logon, presenting them with an option to change their password. Great!  So where is this in Windows 7? It isn’t!  Apparently everyone @Microsoft logs onto their Windows 7 client and watches *stares at* the logon process, ready to receive balloon messages…<blink>.  Anyway, don’t they know that logon time is coffee time!

Once we started to rollout Windows 7 across the estate we soon noticed that users never ‘considered’ to change their password, causing a few support calls when they received password authentication issues.  Now there are several different ways of resolving this; from user education, increased notice period or to create a custom popup that in some way mimics the old XP way.

A way, although not the only way..

There are quite a few VBscripts out there that do a good job (goooogle PwExpChk.vbs  or look at WMI Win32_NetworkLoginProfile PasswordAge) that you can add into run key or add as part of a logon script.  While this proved to provide a popup box stating the number of days remaining before expiry, we wanted more!  So out comes ‘AutoIT‘; l’ve mentioned it before, but it is coo’ool.  For some reason l went with the WMI option over the LDAP, but either way works.  With WMI you just need to subtract the PasswordAge value from a constant contain your max password age, whereas if you’ve checked out the VBscript you’ll its a little more.

Many coffees later we have a popup box! Personalised to the user, stating the number of days remaining before their passwords expire.  Now you could argue that the effort to create this is misplaced and you could have continued using the VBscript.  I don’t disagree in anyway, but we did want more…

Building our little popup has enabled us to provide the user with links to useful information, such as “How to reset your password”, “Password Policy”, “IT Support Portals”; this may help with user education?  It also gave us the ability to change the style of popup depending on password age.

Additional advancements

Windows XP password expiry reminder gave the user the option to change their password by clicking ‘Yes’ from the popup box.  This is the tricky part…which l don’t believe is possible (very happy for someone to prove me wrong!)…well l’ve not found a way to script initiate the ‘change password’ screen.  There is another option though which is not ideal but will essentially produces the same effect.  We could add a ‘Yes / No’ option to our popup box, if a users click ‘Yes’ to reset their password we then set their AD attribute ‘Force password change at next logon’ and intitiate an automated logoff.  When the user logs back on they will be forced to change their password! Problem solved.

Depending on how you are launching the Password Expiry Notification, depends on who needs AD permissions to service the users AD attributes.  From my initial tests, if your launching under the user’s security context, then they will require the following permissions:

– Reset Password, Read pwdLastSet, and Write pwdLastSet

Overall it works well!  I would be interested to know how other people implemented a work around, even if you bought one of the many solutions that are out there.