Extending password expiration in AD

I'm having a somewhat confusing issues with AD password. Now my question is this.....

A user password is already expired. Now, can I as an admin go in and negate this expiration and maybe extend it for another 30 days so that the user can still keep on using the same password? OR, will the password need to be reset?

Note that I'm talking about normal circumstances. Nothing about changing the last password value or any other fancy ways. This is just through AD users and computers snap in.
ednisoAsked:
Who is Participating?
 
oBdAConnect With a Mentor Commented:
You can open the properties of the user and check the "Password never expires" box; if you don't want to think about having to manually uncheck the box again after 30 days or whenever, you can create a scheduled task (running with a user with the necessary AD permissions) for the expiration date that will disable the property again:
dsmod user "cn=SomeUser,ou=SomeOU,dc=domain,dc=local" -pwdneverexpires no
0
 
mchieffCommented:
once it is expired it needs to be reset
depending on your group polcy for passwords, you can reset it to be the same if you like
0
 
Krzysztof PytkoConnect With a Mentor Active Directory EngineerCommented:
That's right, if you want to use expired password longer, the only option is to set "Password never expires" checkbox in user's profile. Additionally, maybe your domain password policy is adequate? You can set longer expiration time in "Default Domain Policy" Computer Configuration -> Windows Settings -> Security Settings Account Policies -> Password Policies

But remember this policy affects all users in your domain. If you use 2003 (as I guess for zone assignement) as DC this is mandatory for whole domain users, in 2008 you can additionally use granular password policies

http://www.windowsecurity.com/articles/Configuring-Granular-Password-Settings-Windows-Server-2008-Part-1.html
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
ednisoAuthor Commented:
iSiek: So what you are saying is that if a password is already expired, I can go in and check "Password never expires" and it will negate the expiry and the user will be able to use the old password?
0
 
oBdACommented:
Yes, enaling "Password never expires" will even work after the password has expired.
0
 
Krzysztof PytkoActive Directory EngineerCommented:
That's right. But it will take effect only if a user didn't change password.
0
 
ednisoAuthor Commented:
Thanks everyone. I can only do it as domain admin (or) will an account operator have the ability to extend the expiration as well?
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Basicaly, only domain admins.
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Sorry, wrong answer(I didn' realize that it is other post). You should be able to do that as account operator :)
0
All Courses

From novice to tech pro — start learning today.