Home / server / Questions / 52482
Accepted
Carl C
Asked: 2009-08-11 14:16:12 +0800 CST

Active Directory password expired. If I set it to never expire, can the user keep the same password?

  • 772

One of our users is currently overseas, and her Active Directory domain password expired. She's logging on with a laptop using cached credentials and (non-AD integrated) VPN, but she can't logon to file shares or Outlook with the expired password. If I change the password, I'm concerned it's going to create cached logon problems for her with the laptop, which I won't be able to fix while she's eight time zones away. The flag that says she must change her password is already set. If I set her password to never expire, will that prevent her from having to change the password, or must she change it no matter what I do?

A similar question here indicates that setting the account to Never Expire would work, but I'd like some confirmation.

Edit: The password never expire setting would only be in place until she returns to the office. I'm just trying to allow her back into the system while she's away, without making the problem worse.

Final edit: Setting the "Never expire" flag fixed the problem. The user will keep her existing password until she returns next week.

windows active-directory password

5 Answers

  1. Best Answer

    Yes, I have done this many times. If the password is already expired, checking the "Password Never Expires" checkbox will un-expire the password until the user is located on a site with a DC.

    • 8

  2. To keep the old expired password simply reset it using the management console and set it to never expire, as you said. I will not go into all the reasons most of us would not do so, as I assume you have your own reasons for doing what you do.

    • 2

  3. While not a direct answer to your question. This is how you take care of the cached credentials being out of sync when a user is using vpn.

    Go ahead and reset her password for her - but don't force change on next login. Have her log into the laptop with the current cached credentials, then VPN into your network. once she is vpn'd in have her lock the computer, then unlock the computer with the NEW credentials. This will update the local cache and allow her to log into the machine with then new password, and let you NOT set the password never expires flag. She could continue to use that password until it expires like normal.

    • 1

  4. My expereince is that once it demands you change your password you must to change it. Once changed I think you could* change it back with little to no issue. But you'd probably want to test it before trying it with her.

    And yes, once she's good again you might want to consider setting the never expire flag.

    • 0

  5. The following code can be used to find why password expired.

    It was originally copy and pasted from the Active Directory Powershell Blog on MSDN blogs.

        function Get-XADUserPasswordExpirationDate() {
      Param ([Parameter(Mandatory=$true,  Position=0,  ValueFromPipeline=$true, HelpMessage="Identity of the Account")]
      [Object] $accountIdentity)

      PROCESS {
        $accountObj = Get-ADUser $accountIdentity -properties PasswordExpired, PasswordNeverExpires, PasswordLastSet

        if ($accountObj.PasswordExpired) {
            echo ("Password of account: " + $accountObj.Name + " already expired!")
        } else { 

            if ($accountObj.PasswordNeverExpires) {
                echo ("Password of account: " + $accountObj.Name + " is set to never expires!")
            } else {
                $passwordSetDate = $accountObj.PasswordLastSet

                if ($passwordSetDate -eq $null) {
                    echo ("Password of account: " + $accountObj.Name + " has never been set!")
                }  else {
                    $maxPasswordAgeTimeSpan = $null
                    $dfl = (get-addomain).DomainMode

                    if ($dfl -ge 3) { 
                        ## Greater than Windows2008 domain functional level
                        $accountFGPP = Get-ADUserResultantPasswordPolicy $accountObj

                        if ($accountFGPP -ne $null) {
                            $maxPasswordAgeTimeSpan = $accountFGPP.MaxPasswordAge
                        } else {
                            $maxPasswordAgeTimeSpan = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge
                        }
                    } else {
                        $maxPasswordAgeTimeSpan = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge
                    }

                    if ($maxPasswordAgeTimeSpan -eq $null -or $maxPasswordAgeTimeSpan.TotalMilliseconds -eq 0) {
                        echo ("MaxPasswordAge is not set for the domain or is set to zero!")
                    } else {
                        echo ("Password of account: " + $accountObj.Name + " expires on: " + ($passwordSetDate + $maxPasswordAgeTimeSpan))
                    }
                }
            }
        }
    }
}
    • 0