Tuesday, July 30, 2013

Windows 2008 R2 Password Notification causes more issues than helps

With Windows 7 / 2008 R2 Microsoft changed the way password notifications look. 

After upgrading from PS 4.5 to XenApp 6.5 we fairly quickly found that the default password expiration notification changes from 14 days down to only 5 days.  This doesn't work well in an environment where part time workers may be off a week at a time.  No problem, set the GPO and mark it for 14 days right...  One would think.

Unfortunately, MS changed the popup.

This presents 2 issues in my environment:
  • The popup doesn't display for long enough  (this can be corrected via GPO)
    • Users tend to miss it
    • Or ignore it
  • CTRL+ALT+END doesn't work for our Citrix sessions. 
    • When connected through the web interface it just doesn't do anything
    • When connected from a thin client (Wyse and HP clients) it disconnects the session  ACK!

In our case when connecting from:
  • Thin Client - CTRL+ALT+DEL works fine...
  • Web Interface - CTRL+F1 works

After messing around with several options I ended up opting for the following:

With a slight amount of modification to the message you can make it fit your scenario.
I then added it to GPO as a user configuration logon script.  With this I added the GPO Loopback mode as "Merge" and applied the policy to the machines that needed it (Citrix, RDS / Terminal Services, others)

Who would have thought that something as simple as "changing your password" would be such a
nuisance and so poorly implemented by Microsoft.

No comments:

Post a Comment