Will setting PSO maxPasswordAge to -9223372036854775808 affect all users? RRS feed

  • Question

  • We are using ADFS to implement Single Sign On Solution. Our intended policy was to never expire the password. However we noticed that users are receiving password expiry page and decided to fix it. We changed our group policy setting maxPasswordAge to -9223372036854775808 (never). Still we get complaints that users are seeing password expiry, in fact, those who reset their password in the last couple of weeks. Will setting the maxpasswordage to -9223372036854775808  (never) will affect all users? Are we missing something? Please throw some light into this issue.

    Note: MinimumPasswordAge is set to 0:00:01:00. Verified that the resultantpso is the correct policy.
    • Edited by racheng Tuesday, March 19, 2013 12:09 AM Added more details
    Tuesday, March 19, 2013 12:07 AM


All replies

  • The password has to expire once before the new policy will apply, you can enforce this by setting the pwdLastSet to -1

    Enfo Zipper
    Christoffer Andersson – Principal Advisor - Directory Services Blog

    Tuesday, March 19, 2013 12:56 AM
  • Thanks. We already set the pwdLastSet to -1 for the password-expired users (not all users were affected), but left the other users untouched. Do you think that is the reason? I was trying to research when the setting will take effect. Is there any documentation for the above, which i can read further? Thanks for the help.
    Tuesday, March 19, 2013 2:43 AM
  • Hi,

    Thanks for posting your question in the forum.

    Please understand that MaxPasswordAge is not used to set "Password never expires". To enable "Password never expires", we need configure user's userAccountControl. For details, please refer to the following similar threads.

    Howto set the MaxPasswordAge to NEVER EXPIRES with New-ADFineGrainedPasswordPolicy

    How to set "msDS-MaximumPasswordAge" to "Password never expires" with PowerShell

    Hope this helps.

    Best Regards,

    Andy Qi

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

    Andy Qi
    TechNet Community Support

    Tuesday, March 19, 2013 9:09 AM
  • Thanks for the response. The links with in the both the threads, mention about setting the password never expires, in user account control. However there is no documentation on why the fine grained password policy will not work for "never expire". If there are any documentation, could you please post?

    Tuesday, March 19, 2013 4:06 PM
  • I don't believe that attribute is setable.  The list of available attributes is defined in the URL below:

    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4    Twitter @pbbergs

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Tuesday, March 19, 2013 6:54 PM
  • I don't understand why you say it is not settable. When we set the maxpwdage value to the big negative no, in policy, it changes to never expire. What is the reason behind this? I don't know why there is no documentation on fine grained password policy for never expiring a password. It does not allow 0 as suggested by the documentation. Instead it needs a negative no! There is also very little on when does the changes to the policy, like this one, gets effective.
    • Edited by racheng Tuesday, March 19, 2013 8:17 PM More info
    Tuesday, March 19, 2013 8:17 PM
  • Yes so far I know this has to occur:

    1. You define a PSO that applies to the intended users with a maxPasswordAge to -9223372036854775808 (never) (Take replication into account, if you have a large topology)
    2. You have to set the 'pwdLastSet' to the same intended users as in step 1.
    3. Once a intended user in step 1. and 2. logs on the NEXT time (after step 1. and step 2.) it will be asked to change it's password one final time.
    4. Now the new PSO should be in place and all the users that gone truh step 1-3 should not need to change thier password anymore.

    Enfo Zipper
    Christoffer Andersson – Principal Advisor - Directory Services Blog

    Tuesday, March 19, 2013 8:37 PM
  • Thanks for the response. I don't read anywhere that users will be asked to change the password one last time. Is there any official documentation to it. Anyway, what is the best way to avoid this? Can i set the "Password never expire" for each user? Is there a way to set this flag for a group, so that any new users created will have "password never expires" enabled?
    Tuesday, March 19, 2013 8:55 PM
  • You can script the 'Password never expires' bit:

    Credits for the script goes to Richard Mueller:
    Option Explicit
    Dim objOU, objUser, intUAC
     Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000
    ' Bind to specified OU.
     Set objOU = GetObject("LDAP://ou=Sales,ou=West,dc=MyDomain,dc=com")
    ' Filter on users in the OU.
     objOU.Filter = Array("user")
    For Each objUser In objOU
         ' Skip computer objects (which have class "User").
         If (objUser.Class = "user") Then
             intUAC = objUser.Get("userAccountControl")
             ' Check if "Password Never Expires" already set.
             If (ADS_UF_DONT_EXPIRE_PASSWD AND intUAC) = 0 Then
                 ' Set bit for "Password Never Expires".
                 objUser.Put "userAccountControl", intUAC OR ADS_UF_DONT_EXPIRE_PASSWD
             End If
         End If
    You can define a 'template' user with this bit set, and instruct people that create users to use the 'Copy' option on the existing template user while they create new accounts.

    Enfo Zipper
    Christoffer Andersson – Principal Advisor - Directory Services Blog

    Tuesday, March 19, 2013 9:02 PM
  • I believe if the ADS_UF_DONT_EXPIRE_PASSWD bit of the userAccountControl attribute of the user is set, this overrides the resultant PSO. Also, part of the confusion here is that the domain has a maxPwdAge attribute, but the op is referring to the msDS-MaximumPasswordAge attribute of PSO objects.

    Richard Mueller - MVP Directory Services

    Tuesday, March 19, 2013 9:03 PM
  • Thanks to both of you! I'm referring to maxpwdage of the pso. I verified that the resultantpso for each user is the correct pso with maxpwdage "neverexpire". Still there is no clear reason why this does not work. I'm not able to find any documentation that users should change password before the new policy (never expires) applies. Could you please point me to one? I've been searching.

    Regarding template for users, We create users through code. I thought we can set a property at group level, without any code change, so that new user created will have this flag enabled.
    • Edited by racheng Tuesday, March 19, 2013 9:51 PM Update
    Tuesday, March 19, 2013 9:47 PM
  • No you can't set the "Password Never Expires" flag to a group, you have to change the provisioning code for this, or setting it later by another additional process.

    Enfo Zipper
    Christoffer Andersson – Principal Advisor - Directory Services Blog

    Tuesday, March 19, 2013 9:50 PM
  • We are planning to set the "password never expires" for all users to true using powershell. Assuming this is done, will the users be receving password expiry notice still? Or they can log in with out changing their password?
    Wednesday, March 20, 2013 8:28 PM
  • They won't receving any password expire notice at all and they can logon without chaning thier password as it won't expire.

    Enfo Zipper
    Christoffer Andersson – Principal Advisor - Directory Services Blog

    Wednesday, March 20, 2013 9:01 PM