WinSecWiki > Security Settings > Local Policies > Security Options > Interactive Logon > Prompt the user to change password before expiration

Interactive logon: Prompt the user to change password before expiration

Domains have a maximum password age that requires users to change their passwords on a regular basis. This setting determines how far in advance computers start, at the time of logon, prompting users to change their password. If undefined this policy defaults to 14 days.

Note: Like all “Interactive logon:” policies, this policy is a workstation level policy. This policy needs to be defined in a GPO that gets applied to workstations such as Default Domain Policy. If you only configure this policy on the domain controllers, such as with Default Domain Controllers Policy, you will only impact users logging on at the console of the domain controller. You should also configure this policy on Terminal Servers accessible to end-users. 

Bottom line

Configure this policy in conjunction with the domain’s maximum password age. For instance if you force users to change their password every 30 days, the default 14 day value for this policy would result in users being prompted to change their password when the current password has only reached half its lifetime. In such a case you would probably reduce the value to 4 or 5. Normally you won’t increase this setting higher than 14 days. 14 days is a good value for catching people the day before they leave on 2 week vacations and perhaps pre-empt the problem of an expired password on their return.

Back to top


Additional Resources