How to create password expiration for local users in Windows Server 2008?

Dear EE experts,

We would like to ask on How to create password expiration for local users in Windows Server 2008, using gpedit.msc or regedit.

We don't know where to edit it and set its password expiration, for local users only...

Thank you & hope to hear soon...
Stiebel EltronAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

KimputerIT ManagerCommented:
GPEDIT is the way to go (since with regedit, you may make mistakes).

Run it as admin > Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy
To the right, set maximum password age to amount of days you wish.
Usually requires a reboot for it to take effect (or: gpupdate /force).

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
LockDown32OwnerCommented:
I want to make sure I understand the question because there is a difference between local users and domain users. You keep using the term local users. The only thing local users can log on to is the computer on which they are created. I am not sure if that is what you intended or not.

For local users it would be done in GPEDIT. For Domain users it would be done in Group Policy Management.
Stiebel EltronAuthor Commented:
We need it for local users, not for domain users...
I remember when we checked the Password Policy, it's in Gray state, can't change the number of days for its expiration...
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

LockDown32OwnerCommented:
That would be because a Domain Policy is taking precedence. When you are logged in as one of these local users, at a command prompt, run gpresult /h gp.html and then look at gp.html. It should tell you which GPO is taking precedence.
Stiebel EltronAuthor Commented:
Hi there LockDown32,

Please see the attached file for the gp.html result...

I think it's taking precedence from our domain "stiebeleltronasia.com"

So what can be the solution in order for us to enable the changing of password max age, etc.?
gp.html
Stiebel EltronAuthor Commented:
Additional to this, the reason why we want to enable this password max age is because we have a site, a local site only (Intranet), and we want local site users use this site, because we want to implement this Group Policy to those who are local users only, and not with the domain users...
McKnifeCommented:
Hi.

The gp.html shows that you are on a domain and that the domain password policy is active. So you cannot have different rules for local accounts unless you remove the computer from the domain, as simple as that.
LockDown32OwnerCommented:
The domain policy is taking precedencd. You have 3 choices:

1) Change the domain policy to what you want it to be for the local users (but this would affect everyone local or not)
2) Change the domain policy to "Not Configured" so the local domain would take precedence (but this would remove it for domain users)
3) Remove the computer from the domain

None of your choices are really good. You might want to edit the Domain policy to suit your needs.
Stiebel EltronAuthor Commented:
Thank you for the idea McKnife & LockDown32, so the question now is, if we remove the sharepoint server from the domain (it will be in WORKGROUP group as usual), then will the setting for the Password Max Age be enabled or still disable?

And every domain users should login everytime they access the site?
LockDown32OwnerCommented:
If you remove it from the domain then you will be able to configure the password settings with gpedit.msc It will no longer be greyed out.

"And every domain users should login everytime they access the site". Couldn't tell you. Domain users will not be able to log in to it. Not sure about Sharepoint.
McKnifeCommented:
A sharepoint server? You will NOT want to remove it from your domain, not in a thousand years. Don#t. D-O-N-'-T even think about it! ;-)
Stiebel EltronAuthor Commented:
Yes McKnife, it's a SharePoint Server that resides on that win 2008 server... Removing from domain would be a bad idea?

@LockDown32, got your advise... But need to check what McKnife said about removing SharePoint server from the domain...
LockDown32OwnerCommented:
I wouldn't think you would want to dis-join the domain simply because it is a 2008 server. Is the the Domain Controller?

If it we me I would just modify the existing Password Policy to meet your need. Exactly what is it you are trying to accomplish?
McKnifeCommented:
Accessing sharepoint relies on its domain membership. Sharepoint authentication would break immediately.
Stiebel EltronAuthor Commented:
@LockDown32: you said from the 3 choices that gave earlier
>> 2) Change the domain policy to "Not Configured" so the local domain would take precedence (but this would remove it for domain users).<<
- if we set it to be "Not configured", it will free up taking precedence with local policy, right?

>> Exactly what is it you are trying to accomplish?<<
- what we are trying to accomplish here is to have the local users (Only), change their password at a certain days (For ex. 30 days). We need that to our SharePoint site that is open publicly.

@McKnife & LockDown32, you both said that removing the SharePoint server from the domain group isn't good, or it's a bad idea, why? It won't work as smooth as in a domain group?
If a user use Chrome or FireFox browser, it's asking for their UN & PW, will it be the same if we remove it from the domain group?
McKnifeCommented:
Ok, wait. There's a solution after all. Use PSOs not GPOs for your password settings and you don't have to use the default domain policy. That will allow local accounts to have different settings.

Read the Microsoft documentation of password settings objects, then let's discuss questions.
Stiebel EltronAuthor Commented:
Thank you so much! Answered the main idea...
Stiebel EltronAuthor Commented:
oh! Can u still send it McKnife? I didn't noticed you replied...
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.