Link to home
Start Free TrialLog in
Avatar of hypercube
hypercubeFlag for United States of America

asked on

Domain User Password Expiration Settings

I'm trying to explain to our tech's how domain user password expirations are set up.
From what I'm seeing, from a 30,000 foot level, here's how it may work:

The User account can have the account options so the password never expire in AD.
There is no password maximum age setting here.
The maximum age for  passwords on a Computer can be set by GPO(s).

So, what happens if a user logs onto a computer with account setting of "password to never expires" in AD but has an age that's exceeds what's set in the Computer?  What happens?

Avatar of Andrew Porter
Andrew Porter
Flag of United States of America image

I believe that, generally speaking, the GPO is going to take precedence of the local secpol because the GPO will be processed after the local policies. I have a lab and can test it if that's helpful?
If you set and apply a password policy for users on a computer, this policy is active only for users defined in this computer.
If you set an expiration policy for the password of the computer, this will have no effect for users.

Now, the normal global order of policy is : "LSDou"
L=Local is applied first (if something is defined there)
S=Site is applied in Second
D=Domain is applied in third place
Then Policies from OU are applied.

So the password Policy defined at the domain level will be applied after local policies and will be effectively applied on domain users only.

Avatar of kevinhsieh
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of hypercube


Andrew Porter:  Well, first there are Local Users and Domain Users to differentiate.  The local secpol only applies to the Local Users I believe.  But, RSOP will show the status of Domain Users.  And, ADUC / [User] / Properties will show the applied GPOs, their precedence and which one has been applied.  The applied GPO will set the "maximum password age" and other GPOs may have a different setting for that but aren't applied.  
That's my interpretation of it and that's all fine.

However, in ADUC / [User] / Account tab there is only Account expiration EXCEPT that there's a setting for "Password Never Expires". I presume that means User Password as there is no other.
So, the question was based on a situation where "Password Never Expires" is SET in ADUC.
And, clearly this applies to the User.  
But let's see how?

Now, in the GPOs, password policy applies to COMPUTERS.  That's interesting since the passwords belong to Users, eh?  The only thing that I can imagine is this:
A domain User logs onto a computer.
The computer policies check things including the*AGE* of the user's password - not the expiration date as such.  Well, of course it's an indirect measurement of the same thing - so the difference in terminology between ADUC/User and GPO/Computer must mean something.
When a User logs onto a Computer, I presume that the computer policy check may see that the allowed age has been exceeded, presumably it starts the process which tells the User to update their password.
I don't know how it does that except to compare the Password last set date with the current date to yield age.
Then, it could decide that the age had exceeded the GPO age limit.
So, if the age exceeds the GPO age limit and the password User Account property says Password Never Expires .. what happens?

Hypothesis: when a User logs into a Computer, they are subject to the Computer's rules and password AGE applies and, presumably, the password will have to be changed to allow a logon.
If a User never logs onto a Computer with a short enough password age limit then the Computer's rules are satisfied and the password can remain the same and allow a logon.   .... something like that.

So, in a normally-managed domain, with applied password age limits, the User Account "Password Never Expires" property is immaterial.  One should be careful about relying on it to do anything useful.

Is that right???  I'm afraid I'm missing something important here.  If so, then what good is the "Password Never Expires" property?  One might imagine that a User Account password policy could be set to expire the password in a very short time.  Then it could be shorter than any or all Computer policies to force it to be changed frequently.  Except, where and how does the user password expiration date get set?  As I understand it, it can't be.

It looks like we cross-posted.

So now I'm further confused.
If one sets a GPO in AD with the objective of having a global password age limit, it is set to apply to COMPUTERS but not in a LOCAL sense that I can determine.  So, in a simple case, it applies to all computers and, thus, all Users at logon.  No?  It's a common setting in A Default Domain Policy, right?
If a domain user account is set to never expire, it will never expire. It doesn't matter what the account policy is for the domain, or on any member server or workstation.
Here is my original question:
So, what happens if a user logs onto a computer with account setting of "password to never expires" in AD but has an age that's exceeds what's set in the Computer?  What happens?
So, it seems there's a simple answer if I understand kevinhsieh and to paraphrase it back:
The "Password Never Expires" setting in AD / User / Account supercedes everything else.
Unfortunately our folklore has developed to say this isn't the case.  So, I'll go back to challenge the folklore.

Computer accounts are not User Accounts.  Computer Accounts do not have a do not expire option.  The computer will automatically do an update as required with no user interaction

User Accounts
if the account is set to never expire this overrides any password expiry age setting.. this is reflected by a Zero 0 in the days to password expiry
Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Another way of putting this is that it is up to who/what's authenticating the login.
On a Domain it is the Domain Controller for a domain account. Otherwise it is the local computer doing the authenticating
If you logon locally to a machine with an expired local password as set in local policies, you will either get a password must be changed in order to login or the password expires in 1 day

Either local or domain password expiration can be set to never, which overrides the maximum password age.
OK.  That's all helpful.  Thank you all!