Windows users who logon to their system with a local logon account or a domain logon account are familiar with the password expiry notifications. These messages alert the user of password expiry in advance so that he can change it before its expiry. But how it works on your computer? Can you configure its day settings as per your wish? Here are the answers.
How does Windows Logon Mechanism Work?
In all recent Windows as well as Windows Server versions, it is mandatory to validate user identity to log on to a system. A successful logon comprises authentication, a user action and authorization, a software action.
Authentication
Authentication is a user action. The user supplies his log on credentials (user name and password).
Authorization
In authorization, the software (after checking the authentication credentials) decides if the user is authorized access the resources.
Interactive Log on – Using Local User Account or Domain User Account
Interactive Logon is possible when a user logs on to computer using a Local User Account or Domain user account.
Local User Account
A local user account is created in the Security Accounts Manager (SAM) of the local computer. Its user information is stored in local computer registry only, even if it is a network computer. Users have access to local resources only.
Domain User Account
A domain user account is created in the Active Directory of the domain. The computer evidently is a network computer, and users have access both to the resources of the local system and the domain.
How password expiry notifications work in interactive logon?
Password expiry, implemented for security reasons, forces users to change their passwords periodically. It is expected that all users change their passwords prior to its expiry so that they do not have to depend on IT help desk or administrator for password resetting. Windows operating system, from Windows 98 version onwards, owns the facility to remind users of the imminent password expiry in advance. This default facility works as such unless your AD administrator configures it differently. Administrators can set password expiry and its configurations using AD facilities. Otherwise you can edit some of the interactive logon policies by yourself.
‘How many days in advance users need to be reminded of password expiry’ - set it yourself
With administrative rights there with you, you can set how many days in advance the reminder message should appear (provided AD administrator has not done it). This is done using the Local Group Policy Editor of your system. This is how you can do it:
Click Start > Run, and enter gpedit.msc
When the Group Policy Editor appears, expand its nodes Computer Configuration, Windows Settings, Security Settings, and Local Policies; select Security Options.
Open the policy ‘Interactive Logon: Prompt user to change password before expiration.’
You can see a default value for this setting. Change the value as per your requirement and click Apply.
Note: to know more about this setting, just click the Explain This Setting tab.
If required, you can try modifying some more Interactive logon settings. More about each setting can be learned from Explain This Setting tab of the corresponding policy window.
How Administrators can configure password settings?
Active Directory administrators can use Group Policy Settings to configure many password related policies at the domain level.
Lepide User Password Expiration Reminder - Automate Password Expiry Email notifications
Lepide User Password Expiration Reminder (LUPER) is a professional tool that makes password management easy for Administrators. Apart from notifying users of password expirations in advance, it prepares many comprehensive password related reports that are extremely helpful for administrators. It minimizes password expiry related disarrays, and reduces the work load of administrators and IT help desks.
Blog Summary
It is a good practice to reset user passwords periodically as it improves the overall security of systems as well as domains. To enforce such a habit in the organization, administrators need effective password expiration reminder tools like LUPER. This tool makes it easy to notify password expirations, and also gives all password related information at administrators’ fingertips to lessen their workload.