Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

How to disable "Password Never Expires" option from Active Directory

Posted on 2008-10-09
7
1,251 Views
Last Modified: 2008-12-07
In our organization (under SOX controls) we cannot allow Admins to create new or change existing AD accounts to allow "Passwords Never Expire" on any account. While we can say "don't do it" people still do.

How can I disable the option to even CHECK that box completely from the AD interface?  GPO?  If so, has anyone done it, or can someone help me do that?

Thank you so much!
0
Comment
Question by:thundr101
7 Comments
 
LVL 2

Expert Comment

by:ScottGranado
ID: 22684165
i really doubt you can do this.  if anything this would be a change inside the schema
0
 
LVL 4

Expert Comment

by:zack4x4
ID: 22684184
What always works for me is a deadblow hammer and threaten anyone that does it.  Or you can suspend their AD priviledges if they repeatedly do it.  I'm not sure this can be done to be honest.
0
 
LVL 42

Accepted Solution

by:
paulsolov earned 500 total points
ID: 22684543
setup GPO to require password changes as required.  Remove domain admin prviledges to anyone that is not an admin and for admins that need access to admin priveledges give them only what they need and remove them from domain admins.  Everyone else you can set via GPO, looks like this has been covered before

http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_23577693.html

Hope this helps
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 
LVL 70

Expert Comment

by:Chris Dent
ID: 22685082

> How can I disable the option to even CHECK that box completely from the AD interface?  

You could potentially deny write access to userAccountControl. Unfortunately it isn't possible to split the "Password Never Expires" option out of that set. The set also includes account disable, trusted for delegation, and everything else in the same box in the GUI.

The rather hideous alternative is to build your own GUI that doesn't include access to that option. It wouldn't stop modification of that field through ADSIEdit or by script though.

The best you can do with this normally is strongly and frequent auditing. Both of who is making changes, and whether or not that attribute has been set.

Chris
0
 

Expert Comment

by:BhavikRuparel
ID: 22685110
Thats by Design, so disabing that option is not recommended by Microsoft.
Alternate option is executing the script on periodic basis to identifying the accounts that are configured with "Passwords Never Expire" .

For reference refer to Below link.

http://www.wisesoft.co.uk/scripts/vbscript_enable-disable_password_never_expires.aspx
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 22685429
Password never expires overrides the Password policy for the domain. It is used to prevent the admin passwords from being changed. Let me tell you why.

Let's say the admin password is logged on in different locations. If the password is changed when logged on to multiple locations, it locks the password and you can get locked out of the domain. Furthermore, some applications use Domain admin. Let's say you have a scanner that requires domain admin access, (like an asset inventory software). For that to work it may require Domain admin passwords. If you change your domain admin password, you have to change it on ALL of those types of applications.

You should be able to deselect "password never expires". When people say "don't do it" there is a reason.

To overcome your problem, deny admin rights as administrators. That is the ONLY way to prevent them from changing their habbits of "password never expires" that I know of. Of course, the hammer method will work too, right zack4x4?
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 22686168
There's not going to be a way to enforce this using native Active Directory tools. You will need to implement a user provisioning tool that enforces this business rule, and only grant permissions to create user accounts within that tool.  Even then, you will still have DAs with permissions directly within the directory, so you will need to perform ongoing auditing to ensure that compliance is being maintained.

AD is a data repository, it doesn't enforce business rules.
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question