?
Solved

Extending password expiration in AD

Posted on 2010-08-17
9
Medium Priority
?
3,022 Views
Last Modified: 2012-05-10
I'm having a somewhat confusing issues with AD password. Now my question is this.....

A user password is already expired. Now, can I as an admin go in and negate this expiration and maybe extend it for another 30 days so that the user can still keep on using the same password? OR, will the password need to be reset?

Note that I'm talking about normal circumstances. Nothing about changing the last password value or any other fancy ways. This is just through AD users and computers snap in.
0
Comment
Question by:edniso
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 3

Expert Comment

by:mchieff
ID: 33461635
once it is expired it needs to be reset
depending on your group polcy for passwords, you can reset it to be the same if you like
0
 
LVL 85

Accepted Solution

by:
oBdA earned 500 total points
ID: 33461673
You can open the properties of the user and check the "Password never expires" box; if you don't want to think about having to manually uncheck the box again after 30 days or whenever, you can create a scheduled task (running with a user with the necessary AD permissions) for the expiration date that will disable the property again:
dsmod user "cn=SomeUser,ou=SomeOU,dc=domain,dc=local" -pwdneverexpires no
0
 
LVL 39

Assisted Solution

by:Krzysztof Pytko
Krzysztof Pytko earned 500 total points
ID: 33461739
That's right, if you want to use expired password longer, the only option is to set "Password never expires" checkbox in user's profile. Additionally, maybe your domain password policy is adequate? You can set longer expiration time in "Default Domain Policy" Computer Configuration -> Windows Settings -> Security Settings Account Policies -> Password Policies

But remember this policy affects all users in your domain. If you use 2003 (as I guess for zone assignement) as DC this is mandatory for whole domain users, in 2008 you can additionally use granular password policies

http://www.windowsecurity.com/articles/Configuring-Granular-Password-Settings-Windows-Server-2008-Part-1.html
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 

Author Comment

by:edniso
ID: 33461768
iSiek: So what you are saying is that if a password is already expired, I can go in and check "Password never expires" and it will negate the expiry and the user will be able to use the old password?
0
 
LVL 85

Expert Comment

by:oBdA
ID: 33461831
Yes, enaling "Password never expires" will even work after the password has expired.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33461851
That's right. But it will take effect only if a user didn't change password.
0
 

Author Comment

by:edniso
ID: 33471989
Thanks everyone. I can only do it as domain admin (or) will an account operator have the ability to extend the expiration as well?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33472234
Basicaly, only domain admins.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33472237
Sorry, wrong answer(I didn' realize that it is other post). You should be able to do that as account operator :)
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question