This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 69%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EES%3C/text%3E%3C/svg%3E)
Hi,
I have two different question
if i set them password never expires to these users does new default domain policy override password never expire feature.
kindly advise
thanks......Ehsan
The answer to both questions depend on how you have configured your AD sync, if you have enabled PTA, then the answer to both questions are yes, as any password changes or logon are validated by the on-premise DC and FGPP will be honoured. You can exclude users and service accounts by setting the password to doesn't expire in the on-premise AD.
Gary.
Hi there,
In order to use fine-grained passwords, your domain needs to be Windows Server 2008 Domain Functional Level or higher. This essentially means that all Domain Controllers in your domain need to be Windows Server 2008 or higher and the domain functional level raised to at least Windows Server 2008. Additional password policies are applied to users or groups, not OU’s.
Each PSO object has a setting called Password Settings Precedence. This value determines which PSO will be used when multiple PSO objects are being applied. The PSO with the lowest value will be used with the lowest value being 1. If there are multiple PSOs with the same Password Settings Precedence value then the PSO with the lowest GUID will be used. Every object in Active Directory has a unique GUID that acts as a serial number for the object, thus one PSO will always have a lower GUID.
--If the reply is helpful, please Upvote and Accept it as an answer--