Maximum Password age


  • I want to lengthen the maximum age from 60 to 90 days. Would this global change trigger a password expiry event in its own right? In other words, if an account had 10 days left on the 60 day rule, would it now have 40 days left or would it been deemed expired, require a change and then the 90 day countdown begins?
    Friday, June 28, 2013 6:55 PM


  • No, extending the maximum age, will not trigger any early expiry.

    The password age is calculated as the difference between when-password-last-changed & maximum-allowed-age.

    At each logon/authentication, the comparison is performed (if a DC is available).

    Similarly, the requirement for password-complexity, or password-history, is only effective when undergoing a password-change.

    PS: even though you use GP to apply such settings, it's really more of a DirectoryServices question :)

    lots of info around, but for this type of topic, I check the MS AskDS blog:

    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Saturday, June 29, 2013 6:54 AM