locked
Forcing user to change password on next logon RRS feed

  • Question

  • Hello,

    I attempted using the sample at http://msdn.microsoft.com/en-us/library/bb720782.aspx to force user to change the password on next logon. Although it seems to work for all the users, it doesn't provide correct behavior for default administrator account. For all the users except the default administrator, it forces to change the password on next logon. However for default administrator, during logon, it prompts saying "Your password expires today, do you want to change it now" with yes/no buttons and hence one can skip by clicking No. Further, even after a day or two passes, it still continues to provide a choice to skip changing the password.

    Is there a way to *hard force* default administrator to change the password without giving a choice of skipping it?

    Thanks.
    -Prasad

     

    Wednesday, September 30, 2009 6:37 AM

All replies

  • Hi,

    Why do you want to do this?

    Please provide some information!

    Have a nice day...

    Best regards,
    Fisnik
    Coder24.com
    Sunday, October 4, 2009 10:11 AM
  • Hello,

    Well, that doesn't really answer my question. It doesn't work as it claims for the default administrator user.

    I am using sysprep to clone the images and all of them have same passwords. Hence, when any user attempts to login to the cloned system, I want to force changing the password. I am doing that using the sample given at the MS URL. It works as expected for all users except default administrator. Hence my question.

    Thanks

    -Prasad

     

    Wednesday, October 7, 2009 10:14 AM
  • Hi, 

    check this: http://support.microsoft.com/kb/296999

    Have a nice day...

    Best regards,
    Fisnik
    Coder24.com
    Sunday, October 11, 2009 10:50 AM
  • Hello,

    I looked at the KB, however, I am not sure if it's relevent here. My code is running as a default administrator and setting the flag on the default administrator  account saying "User must change password on next logon". Doesn't default administrator has enough privileges to do so? I tried to run my code as SYSTEM user also with the same behavior.

    The main point is, it's not *enforcing* it for the default administrator and instead giving a chance to skip it, whereas for additional administrators, it works perfectly fine.

    It seems to me that default administrator is treated specially by the OS?

    Thanks.
    -Prasad
    Monday, October 12, 2009 7:20 AM
  • Hi again:

    The built-in administrator (the one used to bypass
    UAC elevations, including to perform higher actions), 
    is harder to change, since its built-in and set as 
    a default SYSTEM user on the PC. 

    However, I can easy identify this thread, are your trying to HACK or
    remove the current and default built-in administrator?

    Because, as far as I can see this, 
    a hacker or a person who wants the 
    code fixed by somebody else, 
    does it so he/she can perform illegal actions. 

    Do you want to change that account and 
    replace it with your own, so you can skip UAC prompts?

    Please explain further information...WHY DO YOU WANT TO DO THIS?

    Have a nice day...

    Best regards,
    Fisnik  


    Coder24.com
    Monday, October 12, 2009 4:51 PM
  • Hello,

    AFAIK, SYSTEM user and default administrator (which is typically named administrator but may be renamed) are two different users. I don't understand where does hacking, removing default built-in administrator, illegal actions come in to picture here. Either I am not putting forward the question correctly OR you are not understanding my question.

    My question is very simple. The MS article that I pointed to viz. http://msdn.microsoft.com/en-us/library/bb720782.aspx works as expected for *additional administrators* (the ones which are not built in and instead explicitly added later on and added to a group named Administrators. Again the Administrators group also may be renamed) and/or *ordinary users* but does not work as expected for the *default administrator* (user account named administrator unless it's renamed).

    I already answered "WHY DO YOU WANT TO DO THIS" question earlier in the thread. Let me repeat it again for you: "I am using sysprep to clone the images and all of them have same passwords. Hence, when any user attempts to login to the cloned system, I want to force changing the password. I am doing that using the sample given at the MS URL. It works as expected for all users except default administrator. Hence my question.".

    Thanks.
    -Prasad

    Tuesday, October 13, 2009 12:54 PM
  • Hi again:

    In Windows Vista, is the SYSTEM user which is used to bypass the UAC elevation.
    However, for the standard built-in admin, I am NOT sure if you can reset the 
    password on it. 

    As far as I know: I do not think that you can reset a password on a built-in administrator like the one 
    in Windows Vista or Windows 7. 

    Have a nice day...

    Best regards,
    Fisnik  
    Coder24.com
    Tuesday, October 13, 2009 4:58 PM
  • Hi Prasad:

    How is the situation on your side?
    Is this thread solved or NOT?
    Please provide me some information!

    Have a nice day...

    Best regards,
    Fisnik
    Coder24.com
    Wednesday, October 21, 2009 6:02 PM
  • Hi Prasad:

    How is the situation on your side?
    Is this thread solved or NOT?

    Please tell me!

    Have a nice day...

    Best regards,
    Fisnik
    Coder24.com
    Friday, November 13, 2009 7:49 PM
  • Hello,

    I gave up on this one. Windows seems to special case *default administrator* as far as "User must change password on next logon" setting goes.

    If "User must change password on next logon" setting is enabled for the default administrator, Windows prompts to change  the password on next logon but *doesn't enforce* it. It says, "Your password expires today, do you want to change it now" with yes/no button and one can go on skipping it on eveyr logon by saying "No".

    However, for additional (non-default) administrators, it *does enforce* it and you don't have a choice to skip it by saying "No". This is true in all flavors of Windows right from Windows NT 4.0 to Windows 7.

    Thanks.
    -Prasad
    • Proposed as answer by Fisnik Hasani Sunday, November 15, 2009 5:07 PM
    Saturday, November 14, 2009 12:30 PM

  • However, for additional (non-default) administrators, it *does enforce* it and you don't have a choice to skip it by saying "No". This is true in all flavors of Windows right from Windows NT 4.0 to Windows 7.

    Thanks.
    -Prasad

    Hello:

    *SORRY* PRESSED WRONG BUTTON!

    Anyway, I do not think that Windows NT 4.0 had such functionality, however, for Windows XP, Windows Vista and Windows 7
    you have the same.

    Have  a nice day...

    Best regards,
    Fisnik
    Coder24.com
    Sunday, November 15, 2009 5:08 PM
  • Hello,

    Windows NT 4.0 does have notion of additional administrators and I do observe the same behavior like other Windows flavors i.e. behavior that I mentioned on first post on this forum thread.

    Thanks.
    -Prasad
    Monday, November 16, 2009 2:47 AM
  • Hi again:

    How is the situation on your side?
    Is this thread solved?

    Please tell me!

    Have a nice day...

    Best regards,
    Fisnik
    Coder24.com
    Sunday, December 27, 2009 10:18 AM
  • We decided to live with Windows limitation of special casing default administrator. IMO, this is bad, since there is absolutely no way to *force* (i.e. not give any choice to skip changing password) default administrator to change the password on next logon.

    Thanks.
    -Prasad

    Monday, December 28, 2009 1:13 PM
  • Hi Prasad:

    Is this thread solved or NOT?
    Please tell me!

    Have a nice day...

    Best regards,
    Fisnik
    Coder24.com
    Saturday, January 2, 2010 2:17 PM