Posted by: David | October 22, 2010

Windows 7 Password Expiry Reminders : Workaround

As I am sure people are becoming aware, Windows 7 password expiry reminders are some what un-reliable. Usually that will manage to flash up in the corner of the screen for a couple of seconds during the 14 days before your password expires.

If you are lucky and don’t happen to be blinking at the time you may see this reminder and be able to reset your password in time.

I got fed up with resetting user passwords because they didn’t see the reminders so I found a workaround. This comes in the flavour of a quick VBS script to show a message box on screen if your password is due to expire and also a new group policy to apply this as a login script to users on Windows 7 based machine (nice use of WMI filtering here)

First the VBS script: (passexpiry.vbs)
On Error Resume Next
set objNetwork=CreateObject("Wscript.Network")
Set objUser=GetObject("WinNT://" & objNetwork.Userdomain & "/" & objNetwork.Username & ",user")

Dim objUser

PassExp=INT(objUser.MaxPasswordAge/86400)-INT(objUser.PasswordAge/86400) - 1

if (PassExp=0) then
wscript.echo "Your password is due to expire in " & PassExp & " day(s)"
end If

This was copied up to the \domain.localnetlogon folder so that everybody could access it, this can also be saved in to the policy folder under the sysvol share however I don’t like my scripts scattered across lots of folders which long GUID names which mean nothing to me.

Then a new WMI filter in need to be created to filter out this policy to Windows 7 based machines, create a new WMI filter (I called mine Windows 7).

Windows 7 WMI GPO Filter

So add a query for the namespace rootCIMv2

Query:

select * from Win32_OperatingSystem
		where Version like "6.1%" and ProductType = "1"

Here the Win32_OperatingSystem will return 6.1 for both Windows 7 and Server 2008 operating systems so we also need to make sure the product type is set to 1 so that we only pick up workstation based operating systems.

Set the WMI filter on the new group policy and also apply it to the Domain Computers security group.

Group Policy Creation - Link WMI filter

Now for the settings of the Group Policy, first because this policy is going to be applied to the computer the user logs in to, but the script run as a user setting we need to enable “User Group Policy loopback processing mode” in “merge” mode.

This is set under:
Computer Configuration
Administrative Templates
System
Group Policy
User Group Policy loopback processing mode : Enabled (Mode : Merge)

Then we need to set the policy to apply the user logon script, this is done here:
User Configuration
Windows Settings
Scripts (Logon / Logoff)
Logon
Add script \domain.localnetlogonpassexpiry.vbs

Now you should have a policy which looks like this:

Windows 7 Password Notify Group Policy

Thats it, sit back and enjoy once again users resetting their own passwords. I am still looking for a way to trigger the reset password screen from the popup box, if anyone knows how to do this please let me know!! 🙂

Advertisements

Responses

  1. This looks like it will be a great help but I was wondering how could the WMI be adapted to include vista machines also.

  2. Hi Ally,

    If you set your WMI Filter Query to:

    select * from Win32_OperatingSystem where Version like “6.%” and ProductType = “1”

    This would include Windows Vista and Windows 7. Hope that helps.

    Thanks

    David

  3. Hi David

    i have tried your solution but have a bit oif a problem as it has just told one of my users who’s password never expires that it runs out in 1 day.

    i am looking into this and if i get a solution i will post back .

    just thought i should let you know.

    ally

  4. Please let me know if you’re looking for a article writer for your weblog. You have some really good articles and I think I would be a good asset. If you ever want to take some of the load off, I’d absolutely love to write some content for your blog in exchange
    for a link back to mine. Please blast me an email if interested.

    Regards!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: