locked
Understanding User Account Password Expiration RRS feed

  • Question

  • Hello,

    In a domain, a User Account's password will expire based on Maximum Password Age set in the Domain Policy.  If I force a password change by setting the pwdLastSet to 0, how does this differ from a password expiring via Maximum Password Age?  Does the password expire the same way in Active Directory under both processes?

    Thanks in advance for the help.


    MTV99
    Thursday, March 10, 2011 3:38 PM

Answers

  • Take a look at below link.Its in depth.

    Actual we are changing the attribute of pwdLastSet in both the cases.

    http://blogs.technet.com/b/heyscriptingguy/archive/2005/07/06/how-can-i-cause-a-user-s-password-to-expire.aspx

    http://msdn.microsoft.com/en-us/library/ms974598.aspx

     

    Regards


    Awinish Vishwakarma| MY Blog

    Disclaimer : This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    • Proposed as answer by Mike Kline Thursday, March 10, 2011 5:00 PM
    • Marked as answer by mtv99 Thursday, March 10, 2011 6:31 PM
    Thursday, March 10, 2011 3:57 PM
  • Just to clarify, when you assign 0 to pwdLastSet, the user must change their password the next time they logon. Only when the user changes their password, does the clock start for maximum password age. For example, if maximum password age is 45 days, you assign 0 to pwdLastSet today, but the user doesn't logon again for 100 days, the user will change their password at that time (100 days in the future), and the password will be good for the next 45 days. If instead, the user logs on immediately after you set pwdLastSet to 0, their password will be expired and they must change it, no matter when they last changed it.

     


    Richard Mueller - MVP Directory Services
    • Proposed as answer by Mike Kline Thursday, March 10, 2011 5:00 PM
    • Marked as answer by mtv99 Thursday, March 10, 2011 6:31 PM
    Thursday, March 10, 2011 4:41 PM

All replies

  • Take a look at below link.Its in depth.

    Actual we are changing the attribute of pwdLastSet in both the cases.

    http://blogs.technet.com/b/heyscriptingguy/archive/2005/07/06/how-can-i-cause-a-user-s-password-to-expire.aspx

    http://msdn.microsoft.com/en-us/library/ms974598.aspx

     

    Regards


    Awinish Vishwakarma| MY Blog

    Disclaimer : This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    • Proposed as answer by Mike Kline Thursday, March 10, 2011 5:00 PM
    • Marked as answer by mtv99 Thursday, March 10, 2011 6:31 PM
    Thursday, March 10, 2011 3:57 PM
  • Just to clarify, when you assign 0 to pwdLastSet, the user must change their password the next time they logon. Only when the user changes their password, does the clock start for maximum password age. For example, if maximum password age is 45 days, you assign 0 to pwdLastSet today, but the user doesn't logon again for 100 days, the user will change their password at that time (100 days in the future), and the password will be good for the next 45 days. If instead, the user logs on immediately after you set pwdLastSet to 0, their password will be expired and they must change it, no matter when they last changed it.

     


    Richard Mueller - MVP Directory Services
    • Proposed as answer by Mike Kline Thursday, March 10, 2011 5:00 PM
    • Marked as answer by mtv99 Thursday, March 10, 2011 6:31 PM
    Thursday, March 10, 2011 4:41 PM
  • Thanks Awinish and Richard.

    From the review of the articles and the point Richard made here, pwdLastSet set to 0 expires a user account  password which is the same action/mechanism which occurs when the Maximum Password Age is reached.  If this conclusion is incorrect, please comment.

    Thanks


    MTV99
    Thursday, March 10, 2011 5:17 PM