Configuring Domain Password Expiration Policy

In the Active Directory domain, a password expiration policy can be configured. It forces the user to change the password when his password expires.

What happens when a user password expires in Active Directory? The user account is not blocked, but the user must change his own password at the next logon: Your password has expired and must be changed.

group policy password expiration

Until the user changes his password, he won’t be able to access domain resources and computers.

Maximum Password Age in Default Domain Group Policy

You can configure password expiration settings for domain users using Group Policy:

  1. Open the Group Policy Management Console (gpmc.msc);
  2. Right-click on the Default Domain Policy and select Edit;
    active directory password expiration policy
  3. Go to the GPO section: Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy;
  4. The maximum password age in days is set in the “Maximum password age” parameter. If the user password is older than this value, his password is considered expired;
  5. You can change max password age or set it to 0 (in this case, user passwords in the domain are never expired).
    gpo password expiration

You can get the user password expiration date with the command Get-ADUser from RSAT AD PowerShell module:

Get-ADUser –Identity username –Properties msDS-UserPasswordExpiryTimeComputed|Select-Object -Property Name, @{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_.msDS-UserPasswordExpiryTimeComputed)}}

You can notify your Active Directory users when their password is about to expire using a special GPO option:

  1. Switch to the GPMC console and edit the Default Domain Policy;
  2. Expand the following GPO section: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options;
  3. Find the policy named “Interactive Logon: Prompt user to change password before expiration”;
    password expiration policy gpo
  4. Enable this policy and set the number of days (14 days by default) to start to notify the user of upcoming password expiration.
  5. If the user’s password expires less than the specified number of days, he will see the following reminder after logging in to any domain computer:

Consider changing your password

Your password will expire in 4 days. To change your password, press CTRL+ALT+DELETE and then click “Change a password”

group policy for password expiration

Set Custom Password Expiration Policy for Specific Users Only Using Fine-Grained Password Policy

Prior to Windows Server 2008, you can configure only one domain password policy for all users. However, in modern versions of Windows Server, you can specify that passwords are not expired for specific users or groups using the Fine-Grained Password Policy. For example, you want to set the password never expires policy for the Domain Admins group.

  1. Run the Active Directory Administration Center console;
  2. Go to the System section, click on Password Settings Container and select New > Password Settings;
    password expiration gpo
  3. In the policy settings, specify its name and uncheck the option Enforce maximum password age;
  4. Then, in the Direct Applies To section, you need to add the group on which the policy should apply (in this example, Domain Admin group).
    password expiration policy active directory
  5. Save the policy.

In addition, you can configure Fine Grained Password Policies with custom password expiration settings and apply new PSOs (Password Setting Objects) to a user group using PowerShell.

Create a domain security group to which you want to apply the PSO custom object:

Import-Module ActiveDirectory

New-ADGroup -Path "OU=Groups,OU=Texas,OU=US,DC=theitbros,DC=com" -Name "grp_StrongPasswordExpirationPSO" -GroupScope Global -GroupCategory Security

Add users to the group to which you want to apply your custom PSO:

Add-ADGroupMember grp_StrongPasswordExpirationPSO -Members user1,user2,user3

Let’s say this goal is to set up strict password policies for some users. In the settings of this password policy, we will specify a maximum password age of 14 days and a minimum of 1 day:

New-ADFineGrainedPasswordPolicy -Name "StrongPasswordExpirationPSO" -MinPasswordAge 1 -MaxPasswordAge 14 -Precedence 1 -Verbose

And the last step. You need to apply the new password expiration fine grained policy to the security group:

Add-ADFineGrainedPasswordPolicySubject -Identity "StrongPasswordExpirationPSO" -Subjects grp_StrongPasswordExpirationPSO

You can disable the password expiration for a specific user if you set the “Password never expires” option in user properties in AD. You can enable this option through the ADUC console (Find user > Properties > Account tab > check the “Password never expires” option under the Account options section)

password expiration group policy

You can enable password newer expires flag for a specific user using PowerShell:

Set-ADUser -Identity M.Becker -PasswordNeverExpires $true –verbose

set password expiration date active directory

Or you can use a simple AD LDAP filter to set password never expire for multiple user accounts. In this example, we are setting the PasswordNeverExpires option for all US users from DevOps department:

Import-Module ActiveDirectory

Get-ADUser -LDAPFilter '(Department=*DevOps*)'-SearchBase "OU=US,DC=theitbros,DC=com" |  Set-ADUser -PasswordNeverExpires:$True

You can export a list of users with password never expires option enabled to a CSV file:

get-aduser -filter * -properties Name, PasswordNeverExpires | where {
$_.passwordNeverExpires -eq "true" } |  Select-Object DistinguishedName,Name,Enabled |
Export-csv c:\PS\password_never_expires.csv –NoTypeInformation

set password expiration date active directory group policy

Domain password expiration policy applies only to users, but not domain computers.

There is a separate policy for domain computers that allows you to configure how often a domain member needs to change the password. The policy is called Domain member: Maximum machine account password age. It is located in the GPO section: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options. The process of changing the computer password is fully automatic and performed by the NETLOGON service of the computer by default once every 30 days. You can use this policy to increase or decrease this interval (from 1 to 999 days). If the password of the computer that is stored locally doesn’t match the password in the Active Directory database, you won’t be able to login to the computer as a domain user with an error The trust relationship between this workstation and the primary domain failed.

If you want to completely disable password changes for computer accounts, you need to enable the Domain member: Disable machine account password changes policy.

I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.
Cyril Kardashevsky

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.