Interactive log on: Prompt the user to change passwords before expiration

Applies to

  • Windows 10

This article describes the best practices, location, values, policy management, and security considerations for the Interactive logon: Prompt user to change password before expiration security policy setting.

Reference

This policy setting determines when users are warned that their passwords are about to expire. This warning gives users time to select a strong password before their current password expires to avoid losing system access.

Possible values

  • A user-defined number of days from 0 through 999
  • Not defined

Best practices

  • Configure user passwords to expire periodically. Users need warning that their password is going to expire, or they might get locked out of the system.
  • Set Interactive logon: Prompt user to change password before expiration to five days. When their password expiration date is five or fewer days away, users will see a dialog box each time that they log on to the domain.
  • When you set the policy to zero, there is no password expiration warning when the user logs on. During a long-running logon session, you would get the warning on the day the password expires or when it already has expired.

Location

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options

Default values

The following table lists the default values for this policy. Default values are also listed on the policy’s property page.

Server type or Group Policy Object Default value
Default Domain Policy Not defined
Default Domain Controller Policy Not defined
Stand-Alone Server Default Settings Five days
DC Effective Default Settings Five days
Member Server Effective Default Settings Five days
Client Computer Effective Default Settings Five days

Policy management

This section describes features and tools that you can use to manage this policy.

Restart requirement

None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy.

Policy conflict considerations

None.

Group Policy

Configure this policy setting by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy isn't contained in a distributed GPO, it can be configured on the local computer through the Local Security Policy snap-in.

Security considerations

This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and possible negative consequences of the countermeasure.

Vulnerability

If user passwords are configured to expire periodically in your organization, users need to be warned before expiration. Otherwise, they may get locked out of the devices inadvertently.

Countermeasure

Configure the Interactive logon: Prompt user to change password before expiration setting to five days.

Potential impact

Users see a dialog-box that prompts them to change their password each time that they log on to the domain when their password is configured to expire in 5 or fewer days.