Background:
In our environment, users log onto a Windows 7 PC and then launch a full-screen Citrix XenApp (same as Microsoft RDSH) desktop. Citrix Reciever with single-sign on is used to launch the XenApp desktop. All work is done within the XenApp desktop. The XenApp servers are not necessarily in the same AD site as the Windows 7 machines.
We enforce password expiry every 30 days. Windows 7 and above prompt the user to reset their password via a balloon message in the notification area. This causes us two problems as detailed below:
Problems
1) Users change their password on their Windows 7 machine whilst already logged into Citrix XenApp, for example by pressing C+A+D. The XenApp desktop session is still authenticated using their old password. They then get problems within XenApp as obviously they cannot authenticate with IIS servers, SQL Servers etc.
2) Users change their password within their XenApp session. This means that their Windows 7 machine is still authenticated using their old password. They can fix this by locking the screen and unlocking it with their new password, however unfortunately this breaks the Single Sign On process of the Citrix client, so if they need to relaunch Citrix XenApp for any reason they cannot, unless they log off Windows 7 and then back on (this guy has the same problem http://discussions.citrix.com/topic/333487-published-desktop-with-receiver-password-changing/).
The crux of the problem is that users are able to change their password once the shell has already loaded. We did not have this problem when the end-user machines ran Windows XP. I think this was because Windows XP prompted the user to change password immediately after logon, before explorer.exe launched.
Question(s):
- Can we configure Windows 7 to prompt the user to change their
password prior to the shell loading? - If not, is there a third-party
piece of software that can help us with this? Presumably any
organisation that uses Windows 7 and above and also a RDSH/Citrix
desktop will have a similar problem.
Best Answer
As a workaround, you can disable notifications for passwords which are going to expire soon; this way, the users will only be notified of expired passwords when they are actually expired, and will thus be forced to change them upon loggin on to their systems.
This can be configured via GPO: https://technet.microsoft.com/en-us/library/ee829687%28v=ws.10%29.aspx.