Configuring Domain Password Expiration Policy

In the Active Directory domain, a password expiration policy can be configured that forces the user to change the password when his password expires.

What happens when a user password is expires in Active Directory? The user account is not blocked, user must change password at next logon: Your password has expired and must be changed.

password expiration

Until the user changes his password, he won’t be able to access domain resources and computers.

You can configure password expiration settings for domain users using Group Policy.

  1. Open the Group Policy Management Console (gpmc.msc);
  2. Right click on the Default Domain Policy and select Edit; password age
  3. Go to the GPO section: Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy;
  4. The maximum password age in days is set in the “Maximum password age” parameter. If the user password older than this value, his password is considered expired;
  5. You can change max password age or set it to 0 (in this case, user passwords in the domain are never expired). maximum password age

You can get the user password expiration date with the command Get-ADUser from RSAT AD PowerShell module:

Get-ADUser –Identity username –Properties msDS-UserPasswordExpiryTimeComputed|Select-Object -Property Name, @{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_.msDS-UserPasswordExpiryTimeComputed)}}

powershell password expiration

Prior to Windows Server 2008, you can configure only one domain password policy for all users. However, in modern versions of Windows Server, you can specify that passwords are not expired for a specific users or group using the Fine-Grained Password Policy. For example, you want to set the password never expires policy for the Domain Admins group.

  1. Run the Active Directory Administration Center console;
  2. Go to the System section, click on Password Settings Container and select New > Password Settings; windows 10 password expiration
  3. In the policy settings, specify its name and uncheck the option Enforce maximum password age;
  4. Then, in the Direct Applies To section, you need to add the group on which the policy should apply (in this example, Domain Admin group). windows 10 disable password expiration
  5. Save the policy.

You can disable the password expiration for a specific user if you set the “Password never expires” option in user properties in AD. You can enable this option through the ADUC console (find user > properties > Account tab > check the “Password never expires” option under the Account options section)

windows password expiration

Domain password expiration policy applies only to users, but not domain computers.

There is a separate policy for domain computers that allows you to configure how often a domain member needs to change the password. The policy is called Domain member: Maximum machine account password age and is located in the GPO section: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options. The process of changing the computer password is fully automatically and performed by the NETLOGON service of computer by default once every 30 days. You can use this policyto increase or decrease this interval (from 1 to 999 days). If the password of the computer that is stored locally doesn’t match the password in the Active Directory database, you won’t be able to login to the computer as a domain user with an error The trust relationship between this workstation and the primary domain failed.

If you want to completely disable password changes for computer accounts, you need to enable the Domain member: Disable machine account password changes policy.

Cyril Kardashevsky

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.