In the Active Directory domain, a password expiration policy can be configured. It forces the user to change the password when his password expires.
What happens when a user password expires in Active Directory? The user account is not blocked, but the user must change his own password at the next logon: Your password has expired and must be changed.
Until the user changes his password, he won’t be able to access domain resources and computers.
Maximum Password Age in Default Domain Group Policy
You can configure password expiration settings for domain users using Group Policy:
- Open the Group Policy Management Console (gpmc.msc);
- Right-click on the Default Domain Policy and select Edit;
- Go to the GPO section: Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy;
- The maximum password age in days is set in the “Maximum password age” parameter. If the user password is older than this value, his password is considered expired;
- You can change max password age or set it to 0 (in this case, user passwords in the domain are never expired).
You can get the user password expiration date with the command Get-ADUser from PowerShell AD module:
Get-ADUser –Identity username –Properties msDS-UserPasswordExpiryTimeComputed|Select-Object -Property Name, @{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_.msDS-UserPasswordExpiryTimeComputed)}}
You can notify your Active Directory users when their password is about to expire using a special GPO option:
- Switch to the GPMC console and edit the Default Domain Policy;
- Expand the following GPO section: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options;
- Find the policy named “Interactive Logon: Prompt user to change password before expiration”;
- Enable this policy and set the number of days (14 days by default) to start to notify the user of upcoming password expiration.
- If the user’s password expires less than the specified number of days, he will see the following reminder after logging in to any domain computer:
Consider changing your password
Your password will expire in 4 days. To change your password, press CTRL+ALT+DELETE and then click “Change a password”
Set Custom Password Expiration Policy for Specific Users Only Using Fine-Grained Password Policy
Prior to Windows Server 2008, you can configure only one domain password policy for all users. However, in modern versions of Windows Server, you can specify that passwords are not expired for specific users or groups using the Fine-Grained Password Policy. For example, you want to set the password never expires policy for the Domain Admins group.
- Run the Active Directory Administration Center console;
- Go to the System section, click on Password Settings Container and select New > Password Settings;
- In the policy settings, specify its name and uncheck the option Enforce maximum password age;
- Then, in the Direct Applies To section, you need to add the group on which the policy should apply (in this example, Domain Admin group).
- Save the policy.
In addition, you can configure Fine Grained Password Policies with custom password expiration settings and apply new PSOs (Password Setting Objects) to a user group using PowerShell.
Create a domain Active Directory group to which you want to apply the PSO custom object:
Import-Module ActiveDirectory New-ADGroup -Path "OU=Groups,OU=Texas,OU=US,DC=theitbros,DC=com" -Name "grp_StrongPasswordExpirationPSO" -GroupScope Global -GroupCategory Security
Add users to the group to which you want to apply your custom PSO:
Add-ADGroupMember grp_StrongPasswordExpirationPSO -Members user1,user2,user3
Let’s say this goal is to set up strict password policies for some users. In the settings of this password policy, we will specify a maximum password age of 14 days and a minimum of 1 day:
New-ADFineGrainedPasswordPolicy -Name "StrongPasswordExpirationPSO" -MinPasswordAge 1 -MaxPasswordAge 14 -Precedence 1 -Verbose
And the last step. You need to apply the new password expiration fine grained policy to the security group:
Add-ADFineGrainedPasswordPolicySubject -Identity "StrongPasswordExpirationPSO" -Subjects grp_StrongPasswordExpirationPSO
You can disable the password expiration for a specific user if you set the “Password never expires” option in user properties in AD. You can enable this option through the MMC Active Directory snap-in (Find user > Properties > Account tab > check the “Password never expires” option under the Account options section)
You can enable password newer expires flag for a specific user using PowerShell:
Set-ADUser -Identity M.Becker -PasswordNeverExpires $true –verbose
Or you can use a simple AD LDAP filter to set password never expire for multiple user accounts. In this example, we are setting the PasswordNeverExpires option for all US users from DevOps department:
Import-Module ActiveDirectory Get-ADUser -LDAPFilter '(Department=*DevOps*)'-SearchBase "OU=US,DC=theitbros,DC=com" | Set-ADUser -PasswordNeverExpires:$True
You can export a list of users with password never expires option enabled to a CSV file:
get-aduser -filter * -properties Name, PasswordNeverExpires | where {
$_.passwordNeverExpires -eq "true" } | Select-Object DistinguishedName,Name,Enabled |
Export-csv c:\PS\password_never_expires.csv –NoTypeInformation
Domain password expiration policy applies only to users, but not domain computers.
There is a separate policy for domain computers that allows you to configure how often a domain member needs to change the password. The policy is called Domain member: Maximum machine account password age. It is located in the GPO section: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options. The process of changing the computer password is fully automatic and performed by the NETLOGON service of the computer by default once every 30 days. You can use this policy to increase or decrease this interval (from 1 to 999 days). If the password of the computer that is stored locally doesn’t match the password in the Active Directory database, you won’t be able to login to the computer as a domain user with an error The trust relationship between this workstation and the primary domain failed.
If you want to completely disable password changes for computer accounts, you need to enable the Domain member: Disable machine account password changes policy.
