The default password policy for an Active Directory domain defines the maximum password age. This specifies how long passwords
can be used before they expire. The value applies to all users in the
domain, unless overridden by a Password Setting Object using
Fine-Grained Password Policies.
↑ Return to Top
The domain maximum password age is determined by the value of the maxPwdAge
attribute. Only the domainDNS object that represents the domain in Active Directory has this attribute. The syntax is Integer8, also called LargeInteger. The value is a 64-bit integer representing time intervals in 100-nanosecond ticks. The value is always
negative. For example, if the maximum password age in the domain is 10 days, then maxPwdAge will have the value:
maxPwdAge = (-1) x 10 days x 24 hours/day x 60 minutes/hour x 60 seconds/minute x 10,000,000 ticks/second = -8,640,000,000,000 ticks
The unusual format makes it difficult to work with directly. Fortunately, Active Directory Users and Computers (beginning with Windows Server
2008) displays the value of maxPwdAge in the format
dd:hh:mm:ss (days:hours:minutes:seconds). The value corresponding to 10 days is shown in ADUC as
If you use Group Policy to view the default domain policy, the value is found in Computer Configuration\Windows Settings\Security Settings\Account
Policies\Password Policy. The same value would appear as
"10 days". Group Policy allows you to assign any value from 1 to 999 days, as long as the value exceeds the setting for minimum password age. The screen to view and modify the domain maximum password age policy is shown below:
The ldp utility can display the value of the maxPwdAge attribute of the domain object, but there are quirks. The Windows 2000 server version
of the utility shows the actual negative large integer value. The Windows Server 2003 version shows the value in positive seconds. The versions from Windows 2008 on display the value in positive days, hours, minutes, and seconds.
All versions of the command line utility dsquery have problems retrieving the value of the maxPwdAge attribute. Instead of a negative sign
in front of the value, they display a long string of garbage characters.
The PowerShell AD module cmdlet Get-ADDefaultDomainPasswordPolicy can be used to retrieve the domain password policies. One of the
properties this cmdlet exposes is MaxPasswordAge. This property is the value of the maxPwdAge attribute of the domain, but formatted as
dd.hh:mm:ss.xxxxxxx, where dd is days, hh is hours, mm is minutes, ss is seconds, and xxxxxxx is fractions of a second. The value is always displayed as positive. Note that a period separates the days from the
hours (not the colon used in ADUC). Sample output from the cmdlet is shown below:
The Set-ADDefaultDomainPasswordPolicy cmdlet can be used to assign a value to the MaxPasswordAge property. The value should be in the format dd.hh:mm:ss. To assign the value of 10 days, you would specify
"10.", with the trailing period.
The help for Set-ADDefaultDomainPasswordPolicy states that the value must be between
10675199:02:48:05.4775807. Really. That's 10,675,199 days, which comes out to just over 29,227 years. But what does a negative value for MaxPasswordAge mean? Does that mean the maxPwdAge attribute will be positive?
The help even states the following:
The following examples show how to set this parameter.
Set the time span to 2 days
Set the time span to the previous 2 days
Anyone see a problem here? Does this mean we can configure passwords to expire two days before they are changed? Seems like all passwords will always be expired. You would need to change your password every time you logged on.
But this assumes that a negative value for MaxPasswordAge is allowed. Fortunately, it is not. The help for Set-ADDefaultDomainPasswordPolicy is not correct on this point. Sure, PowerShell TimeSpans can be positive or negative, but Active Directory will not
allow you to configure passwords to be expired before they are set. In fact MaxPasswordAge must always exceed MinPasswordAge. If you use Set-ADDefaultDomainPasswordPolicy to assign a negative number of days to MaxPasswordAge, no error is raised, but the absolute
value of the number of days is assigned (so that maxPwdAge is negative).
You cannot assign zero to maxPwdAge directly. And you cannot assign zero to the MaxPasswordAge PowerShell property using Set-ADDefaultDomainPasswordPolicy. This would violate the requirement that the maximum password age must exceed the minimum password
age. However, you can assign zero in Group Policy. Group Policy will then display the value as
"Never". This will assign the largest negative value possible to the pwdLastSet attribute of the domain object in Active Directory. This value is -9,223,372,036,854,775,808, which corresponds to 10,675,199 days,
or more than 29,227 years in the future. OK, that is not forever, but close enough. The affect is that passwords will not expire during anyone's lifetime.
Instead of using Group Policy to assign zero to the maximum password age, you can configure accounts for "Password never expires". You do this on the "Account" tab of user properties in ADUC. You can select all of the user objects you want and configure
them in bulk, leaving other accounts alone. This probably is the best procedure if you really have users whose passwords should not expire.