After several tests, I'm pretty sure that the policy "Interactive logon: Prompt user to change password before expiration" is counting the wrong days. (Note: this policy is in Windows Settings > Security Settings > Local Policies > Security Options) So I think I should post this in the forum in the hope that it could be helpful to others in the same case as me, esp if the policy is pushed out as a domain-wide policy.
First, the context of the test, ie domain-wide policy settings:
1. Password minimum age = 2 days
2. Password maximum age = 4 days
3. Prompt user to change password before expiration = 2 days
If everything is going fine, users will be asked to change password when it is changeable (ie it has reached the minimum age). However, it turns out that users are prompted BEFORE they can change password. Look at the image below that I got in Win7:
(In WinXP, we have similar prompt when user has just logged in)
Look at the clock: it's 13:16 (04/12/2013). Then look at the DOS window in which I ran the "net user /domain" command and read the line "Password expires": it's shown06/12/2013 18:09:04.
A little math would tell me that if users are prompted to change password *2 days* before expiration, the dialog will appearONLYAFTER 04/12/2013 18:09:04. But since the prompt is shown at 13:16 (ie well before 18:09), that mean the "prompt user...." policy makes mistakes in calculating the moment to show the prompt.
In other words, if we have the policy set like this:
Prompt user to change password before expiration =
N days
The prompt will actually appear from N+1 days before expiration.
I would consider this as a bug, but I also suppose it's hard to make Microsoft fix it. So that's why I make this post to warn others. In my case, I have received several calls from users complaining that they were prompted to change password but their new passwords were always refused and they had no idea what went wrong. And it took me a lot of effort to sort out what really went wrong. And in order to work around this stupid bug, I have to change the "Prompt user...." policy to N-1 days (before expiration) instead of N days previously.
Hope this help