The one place I can see it being justified is on service accounts. Typically you don't want a service account password to simply expire which could cause all the processes that account runs to fail. Interactive user accounts should always have passwords follow the password policy.
You have to make sure if you do set service accounts to not expire that you have good processes around querying these accounts and making sure you manually reset the passwords at some interval. There are compliance standards in a lot of industries that will mandate all account passwords get changed at some specific interval.
Automated scripts may use it (I've run into issues on systems where scheduled tasks where failing silently because the owner's password had expired). Obviously this was for non-internet facing services.
The only time we use the "Password Never Expires" option is on services accounts. We use a system outside of Active Directory to to provision AD user accounts and part of it forces users to change their password every 90 days. If option isn't checked it's been know to lockout accounts and break stuff at 2am when the script runs.
The main one is service accounts, as previously mentioned, however another option is for accounts that may have a very low risk profile combined with an infrequent usage profile - for example an account which is logged into once a year that gives read only access to some non-critical data. If it had password expiry, the user would either write down the password or use the helpdesk for password reset every time.
It isn't best practice, but if the risk is low it might just be the right thing to do in this example.
The one place I can see it being justified is on service accounts. Typically you don't want a service account password to simply expire which could cause all the processes that account runs to fail. Interactive user accounts should always have passwords follow the password policy.
You have to make sure if you do set service accounts to not expire that you have good processes around querying these accounts and making sure you manually reset the passwords at some interval. There are compliance standards in a lot of industries that will mandate all account passwords get changed at some specific interval.
Automated scripts may use it (I've run into issues on systems where scheduled tasks where failing silently because the owner's password had expired). Obviously this was for non-internet facing services.
Service/utility accounts.
The only time we use the "Password Never Expires" option is on services accounts. We use a system outside of Active Directory to to provision AD user accounts and part of it forces users to change their password every 90 days. If option isn't checked it's been know to lockout accounts and break stuff at 2am when the script runs.
The main one is service accounts, as previously mentioned, however another option is for accounts that may have a very low risk profile combined with an infrequent usage profile - for example an account which is logged into once a year that gives read only access to some non-critical data. If it had password expiry, the user would either write down the password or use the helpdesk for password reset every time.
It isn't best practice, but if the risk is low it might just be the right thing to do in this example.