How to create password expiration for local users in Windows Server 2008?

Stiebel Eltron
Stiebel Eltron used Ask the Experts™
on
Dear EE experts,

We would like to ask on How to create password expiration for local users in Windows Server 2008, using gpedit.msc or regedit.

We don't know where to edit it and set its password expiration, for local users only...

Thank you & hope to hear soon...
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
GPEDIT is the way to go (since with regedit, you may make mistakes).

Run it as admin > Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy
To the right, set maximum password age to amount of days you wish.
Usually requires a reboot for it to take effect (or: gpupdate /force).
LockDown32Owner
Top Expert 2016

Commented:
I want to make sure I understand the question because there is a difference between local users and domain users. You keep using the term local users. The only thing local users can log on to is the computer on which they are created. I am not sure if that is what you intended or not.

For local users it would be done in GPEDIT. For Domain users it would be done in Group Policy Management.

Author

Commented:
We need it for local users, not for domain users...
I remember when we checked the Password Policy, it's in Gray state, can't change the number of days for its expiration...
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

LockDown32Owner
Top Expert 2016

Commented:
That would be because a Domain Policy is taking precedence. When you are logged in as one of these local users, at a command prompt, run gpresult /h gp.html and then look at gp.html. It should tell you which GPO is taking precedence.

Author

Commented:
Hi there LockDown32,

Please see the attached file for the gp.html result...

I think it's taking precedence from our domain "stiebeleltronasia.com"

So what can be the solution in order for us to enable the changing of password max age, etc.?
gp.html

Author

Commented:
Additional to this, the reason why we want to enable this password max age is because we have a site, a local site only (Intranet), and we want local site users use this site, because we want to implement this Group Policy to those who are local users only, and not with the domain users...
Distinguished Expert 2018

Commented:
Hi.

The gp.html shows that you are on a domain and that the domain password policy is active. So you cannot have different rules for local accounts unless you remove the computer from the domain, as simple as that.
LockDown32Owner
Top Expert 2016
Commented:
The domain policy is taking precedencd. You have 3 choices:

1) Change the domain policy to what you want it to be for the local users (but this would affect everyone local or not)
2) Change the domain policy to "Not Configured" so the local domain would take precedence (but this would remove it for domain users)
3) Remove the computer from the domain

None of your choices are really good. You might want to edit the Domain policy to suit your needs.

Author

Commented:
Thank you for the idea McKnife & LockDown32, so the question now is, if we remove the sharepoint server from the domain (it will be in WORKGROUP group as usual), then will the setting for the Password Max Age be enabled or still disable?

And every domain users should login everytime they access the site?
LockDown32Owner
Top Expert 2016

Commented:
If you remove it from the domain then you will be able to configure the password settings with gpedit.msc It will no longer be greyed out.

"And every domain users should login everytime they access the site". Couldn't tell you. Domain users will not be able to log in to it. Not sure about Sharepoint.
Distinguished Expert 2018
Commented:
A sharepoint server? You will NOT want to remove it from your domain, not in a thousand years. Don#t. D-O-N-'-T even think about it! ;-)

Author

Commented:
Yes McKnife, it's a SharePoint Server that resides on that win 2008 server... Removing from domain would be a bad idea?

@LockDown32, got your advise... But need to check what McKnife said about removing SharePoint server from the domain...
LockDown32Owner
Top Expert 2016

Commented:
I wouldn't think you would want to dis-join the domain simply because it is a 2008 server. Is the the Domain Controller?

If it we me I would just modify the existing Password Policy to meet your need. Exactly what is it you are trying to accomplish?
Distinguished Expert 2018

Commented:
Accessing sharepoint relies on its domain membership. Sharepoint authentication would break immediately.

Author

Commented:
@LockDown32: you said from the 3 choices that gave earlier
>> 2) Change the domain policy to "Not Configured" so the local domain would take precedence (but this would remove it for domain users).<<
- if we set it to be "Not configured", it will free up taking precedence with local policy, right?

>> Exactly what is it you are trying to accomplish?<<
- what we are trying to accomplish here is to have the local users (Only), change their password at a certain days (For ex. 30 days). We need that to our SharePoint site that is open publicly.

@McKnife & LockDown32, you both said that removing the SharePoint server from the domain group isn't good, or it's a bad idea, why? It won't work as smooth as in a domain group?
If a user use Chrome or FireFox browser, it's asking for their UN & PW, will it be the same if we remove it from the domain group?
Distinguished Expert 2018

Commented:
Ok, wait. There's a solution after all. Use PSOs not GPOs for your password settings and you don't have to use the default domain policy. That will allow local accounts to have different settings.

Read the Microsoft documentation of password settings objects, then let's discuss questions.

Author

Commented:
Thank you so much! Answered the main idea...

Author

Commented:
oh! Can u still send it McKnife? I didn't noticed you replied...
Distinguished Expert 2018

Commented:

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial