Solved

Extending password expiration in AD

Posted on 2010-08-17
9
2,756 Views
Last Modified: 2012-05-10
I'm having a somewhat confusing issues with AD password. Now my question is this.....

A user password is already expired. Now, can I as an admin go in and negate this expiration and maybe extend it for another 30 days so that the user can still keep on using the same password? OR, will the password need to be reset?

Note that I'm talking about normal circumstances. Nothing about changing the last password value or any other fancy ways. This is just through AD users and computers snap in.
0
Comment
Question by:edniso
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 3

Expert Comment

by:mchieff
ID: 33461635
once it is expired it needs to be reset
depending on your group polcy for passwords, you can reset it to be the same if you like
0
 
LVL 84

Accepted Solution

by:
oBdA earned 125 total points
ID: 33461673
You can open the properties of the user and check the "Password never expires" box; if you don't want to think about having to manually uncheck the box again after 30 days or whenever, you can create a scheduled task (running with a user with the necessary AD permissions) for the expiration date that will disable the property again:
dsmod user "cn=SomeUser,ou=SomeOU,dc=domain,dc=local" -pwdneverexpires no
0
 
LVL 39

Assisted Solution

by:Krzysztof Pytko
Krzysztof Pytko earned 125 total points
ID: 33461739
That's right, if you want to use expired password longer, the only option is to set "Password never expires" checkbox in user's profile. Additionally, maybe your domain password policy is adequate? You can set longer expiration time in "Default Domain Policy" Computer Configuration -> Windows Settings -> Security Settings Account Policies -> Password Policies

But remember this policy affects all users in your domain. If you use 2003 (as I guess for zone assignement) as DC this is mandatory for whole domain users, in 2008 you can additionally use granular password policies

http://www.windowsecurity.com/articles/Configuring-Granular-Password-Settings-Windows-Server-2008-Part-1.html
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 

Author Comment

by:edniso
ID: 33461768
iSiek: So what you are saying is that if a password is already expired, I can go in and check "Password never expires" and it will negate the expiry and the user will be able to use the old password?
0
 
LVL 84

Expert Comment

by:oBdA
ID: 33461831
Yes, enaling "Password never expires" will even work after the password has expired.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33461851
That's right. But it will take effect only if a user didn't change password.
0
 

Author Comment

by:edniso
ID: 33471989
Thanks everyone. I can only do it as domain admin (or) will an account operator have the ability to extend the expiration as well?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33472234
Basicaly, only domain admins.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33472237
Sorry, wrong answer(I didn' realize that it is other post). You should be able to do that as account operator :)
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question