Interactive log on: Prompt the user to change passwords before expiration
Applies to
- Windows 11
- Windows 10
This article describes the best practices, location, values, policy management, and security considerations for the Interactive logon: Prompt user to change password before expiration security policy setting.
Reference
This policy setting determines when users are warned that their passwords are about to expire. This warning gives users time to select a strong password before their current password expires to avoid losing system access.
Possible values
- A user-defined number of days from 0 through 999
- Not defined
Best practices
- Configure user passwords to expire periodically. Users need warning that their password is going to expire, or they might get locked out of the system.
- Set Interactive logon: Prompt user to change password before expiration to five days. When their password expiration date is five or fewer days away, users will see a dialog box each time that they log on to the domain.
- When you set the policy to zero, there is no password expiration warning when the user logs on. During a long-running logon session, you would get the warning on the day the password expires or when it already has expired.
Location
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options
Default values
The following table lists the default values for this policy. Default values are also listed on the policy’s property page.
| Server type or Group Policy Object | Default value |
|---|---|
| Default Domain Policy | Not defined |
| Default Domain Controller Policy | Not defined |
| Stand-Alone Server Default Settings | Five days |
| DC Effective Default Settings | Five days |
| Member Server Effective Default Settings | Five days |
| Client Computer Effective Default Settings | Five days |
Policy management
This section describes features and tools that you can use to manage this policy.
Restart requirement
None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy.
Policy conflict considerations
None.
Group Policy
Configure this policy setting by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy isn't contained in a distributed GPO, it can be configured on the local computer through the Local Security Policy snap-in.
Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and possible negative consequences of the countermeasure.
Vulnerability
If user passwords are configured to expire periodically in your organization, users need to be warned before expiration. Otherwise, they may get locked out of the devices inadvertently.
Countermeasure
Configure the Interactive logon: Prompt user to change password before expiration setting to five days.
Potential impact
Users see a dialog-box that prompts them to change their password each time that they log on to the domain when their password is configured to expire in 5 or fewer days.