Share via

Disable password never expires option in AD

Barry-ESG 0 Reputation points
2023-07-21T19:32:26.2933333+00:00

How can I prevent the use of the "Password Never Expires" check box in account options with Active Directory, can it be done?

The password policy requires passwords to be changed on a rotation, however on occasion I'm still finding the flag set for password to not expire on some accounts (Both Admin and normal users).

It's all well and good doing spot checks before audit's happen, but If I can prevent the option even being used, even better.

So far I have a GPO to create a Scheduled Task on the DC that sets the flag to false on all account in AD, but is this the best/easiest way to do it or is there something more elegant?

And yes I know education is the preferred method, but when that fails just for this point dragging the offenders before HR is a bit OTT, IMO.

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2023-07-24T05:00:03.3566667+00:00

    Hi,

    The value of the Password Never Expires option is set by a bit of the userAccountControl attribute. To prevent the Password Never Expires option of an AD user from being modified, you can deny the access to write userAccountControl in the advanced security settings of the user properties.

    Best Regards,

    Ian Xue

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.