none
GPO Password Expiration vs. Active Directory ADUC password expiration.

    Question

  • Say I have an Active Directory User account named JOE.  There is a domain policy that passwords must be changed every 6 months.  When I look at Joe's account in active directory users and computers it has a password expiration set on it for 1 year away. (Someone has manually set with the Account to Expire with the radio button in ADUC)

    Is Joe's password good for 6 months or is it good for 1 year?

    Friday, March 17, 2017 8:44 PM

Answers

  • Password expiration is different from account expiration. Unless you have fine grained password policy configured for Joe, the password will expire in 6 months, and Joe will need to change it then. But the account will expire after a year, and then be unusable, unless an admin changes or removes the account expiration.

    Edit: You do not see the max password age in the user account properties in ADUC. You must view the properties of the domain object for the domain settings, such as maxPwdAge.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)



    • Edited by Richard MuellerMVP Friday, March 17, 2017 8:53 PM
    • Proposed as answer by Todd Heron Friday, March 17, 2017 9:15 PM
    • Marked as answer by Dargonis Friday, March 17, 2017 9:16 PM
    Friday, March 17, 2017 8:50 PM

All replies

  • Password expiration is different from account expiration. Unless you have fine grained password policy configured for Joe, the password will expire in 6 months, and Joe will need to change it then. But the account will expire after a year, and then be unusable, unless an admin changes or removes the account expiration.

    Edit: You do not see the max password age in the user account properties in ADUC. You must view the properties of the domain object for the domain settings, such as maxPwdAge.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)



    • Edited by Richard MuellerMVP Friday, March 17, 2017 8:53 PM
    • Proposed as answer by Todd Heron Friday, March 17, 2017 9:15 PM
    • Marked as answer by Dargonis Friday, March 17, 2017 9:16 PM
    Friday, March 17, 2017 8:50 PM
  • Ahh, that's where I went wrong.. account vs. password expiration.  Thanks for the quick feedback!
    Friday, March 17, 2017 9:16 PM