Main Nav

While this may not be the most appropriate topic for the group, I'm hoping that this community may be able to help.

We have recently written a pasword management tool that changes our passwords in multiple systems. While this is not true SSO, its being used as a syncing process for us between multiple Active Directories, Novell, Banner, Google, etc as we migrate to one unified directory. The message then for password change is to redirect people to the website we have created to change their password.

Unfortunately, Windows is still performing the expired password prompts and prompting people to change their password in the active directory that the computer is bound/joined to. We can effectively block the option to change your password on the client, until your password expires.

I'm hoping that some of you have come a across a similar problem and have figured out a solution. Ideally, we're looking for a GINA/Credential Provider or other method to redirect people to a website when attempting to change their password on Win XP/7.

Jeff Abernathy

Jeff Abernathy

Web Portal Programmer 
Information Technology Services
Saint Louis University
ITS | Saint Louis University


I don't believe there's currently any way to customize the password prompt. With Windows 8, Microsoft is providing for custom access denied error messages, so with this precedent, perhaps they'd be willing to add this capability in the future if enough customers gave that feedback.


As to the scenario, we don't allow users to reset their AD password. We've trained users that to change their password they go to our central account/password management interface. We've never gotten any tickets above our 1st tier helpdesk about this, and I'd be surprised to hear that there have been more than a few at the 1st tier.


We have talked about the possibility of leveraging the custom AD password filter to enable AD password changes at some point in the future. In that scenario, we'd write an AD custom password filter to leverage our central password mechanism. The filter would differentiate between password sets and password changes to avoid password propagation loops, i.e. pwd sets (originates from outside AD)  would just be set, whereas a pwd change would get sent to the central mechanism, then assuming it passes the validity check would come back via a pwd set. But this has never been a high enough priority for us to actually pursue it.


Based on the lack of customer demand for AD integrated password changes here, I think we've probably prioritized this appropriately, but it's hard to know if the training prevents customers from voicing the request or if it really isn't something they care about. :)


To add to what Brian said, I’d remove the password expiry from your AD for normal users and roll the expiry notification and change functions in to your custom password portal. If you’re on Windows 2008 or better, you can use fine grained password policies to apply different policies (e.g. for admin/privileged accounts).



Brian Desmond


w – 312.625.1438 | c   – 312.731.3132