Home / server / Questions / 26944
Accepted
Nalandial
Asked: 2009-06-17 16:37:52 +0800 CST

Accounts Password Stays Expired After Group Policy Change

  • 772

Let's say I have a group policy that sets the maximum password age at 90 days. Some user doesn't change their password for 91 days, so their password should be expired.

If I then remove that group policy to make the max password age not defined, will that account still be expired? In other words, when that user logs in again, should they still be required to change their password?

I would think not, but I seem to be observing the exact opposite behavior on our domain controller; that is, after I change the group policy setting and login with an account whose password had expired, I still get prompts about it.

Does anyone know for sure either way, or is there something else I'm missing?

windows-server-2003 group-policy password

2 Answers

  1. Best Answer

    Once a password is expired that is it. They will be prompted to change it. Even if you change the group policy. The reason is because the account has a flag get set that says "change password on next login"

    You could go into the User & Groups Manager and set the user back to not expired password.

    • 2

  2. This stumped me and was hard to google for, so I'm posting the answer I found on this question because it was one of the only results.

    My issue was very similar to the OP, whereby I was trying to disable password expiry completely, and attempted to do so by setting Default Domain Policy > Computer Configuration > Policies > Windows Settings > Security Settings > Account Policy > Password Policy > Max Password Age to Undefined in the Default Domain Policy. Over the next couple of months, user passwords were still expiring, and I double checked group policy results and rsop.msc numerous times to try track it down.

    In the end I found that to disable password expiry, you need to set Max Password Policy to Enabled with value 0 days (instead of Undefined) (as per the documentation on the Explain tab - derp).

    What helped me reach this conclusion was checking the expiry of all account passwords using this query:

    Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} `
–Properties "SamAccountName","msDS-UserPasswordExpiryTimeComputed" | Select-Object -Property "SamAccountName", @{Name="Password Expiry Date"; `
Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}} | FT

    the results looked like this

    PS C:\Windows\system32> Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} `
>>  –Properties "SamAccountName","msDS-UserPasswordExpiryTimeComputed" |
>> Select-Object -Property "SamAccountName", @{Name="Password Expiry Date"; `
>> Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}} | FT

SamAccountName       Password Expiry Date
--------------       --------------------
Administrator        2021-08-03 2:19:56 PM
User1.Surname1       2021-08-14 9:19:46 AM
User2.Surname2       2021-08-07 8:22:44 AM
User3.Surname3       2021-08-01 9:49:09 AM
User4.Surname4       2021-08-14 9:30:55 AM
etc.

    After updating the policy to Enabled - 0 days, I ran the query again, and this time results showed no expiry on any account.

    SamAccountName       Password Expiry Date
--------------       --------------------
Administrator        
User1.Surname1       
User2.Surname2       
User3.Surname3       
User4.Surname4        
etc.
    • 1