"Password never expires" greyed out?

user-accounts windows-server-2016 azure-active-directory password-management azure-active-directory-ds

You may need to Create a Fine Grained Password Policy

First, make sure you have already created Management VM:

https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-management-vm

You can set the password policies in the domain by opening the "Active Directory Administrative Center and Create Fine Grained Password Policies . A guide can be found here:

https://activedirectorypro.com/create-fine-grained-password-policies/


If the users are logging to O365 using their Azure AD accounts, then the investigation should start on the Azure AD front, however.

It is not clear where the user password verification is happening:

  • If you're using Password Hash Sync: check the current password policies you have on Azure AD: https://docs.microsoft.com/en-us/microsoft-365/admin/add-users/set-password-to-never-expire?view=o365-worldwide
  • If you're using ADFS/Pass-through Authentication: Check your local domain password policies, or the ADFS server, or the Pass-through authentication agent.

I highly doubt this is related, but because an expired password on AADDS should not effect O365: but it's worth working on this as well: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/password-policy


Are you using directory synchronization (AD Connect) between your AD and Azure AD? This is the key question here.

If the user account comes from AD, then password expiration (and authentication in general) is managed by your on-premises AD; if instead the user account is native to Azure AD, everything is managed from there.

Since you showed a screenshot for the user account in ADUC, I'm assuming the user account exists in AD and is synchronized to Azure AD; in this case, it's correct to set user account properties (such as password never expiring) from AD; Azure AD will not have any role in this, because on-premises AD is the main source of user account information.

Now, why do you have those options grayed out? This looks indeed like a permission issue; Active Directory Users and Computers (AUDC for short) will happily let anyone (authenticated) look at AD data, but if you are not allowed to perform an operation, it will be grayed out or not even shown at all.

If you see an object in AD that you can't edit, or if you try to edit it and get an "access denied" error, this means you don't have enough permissions to do that.
When you are a domain admin (and actually acting as such, because UAC can be a royal pain) you should be able to edit anything. But this is still a matter of permissions: domain admins are allowed to edit anything because the right to do so is automatically granted to the "Domain Admins" group. If someone changed permissions on a OU or the user object itself and removed the default "Domain Admins have full control" access right, you'll be blocked from touching it.

Bottom line: check permissions on the user object (and/or on the OU where it's located) and make sure "Domain Admins" have full control. If this is not the case, get it forcibly; Domain Admins are always allowed to take ownership of anything they don't own.

Related

Nagios-Plugin "check_radius" missing in Ubuntu 14.04?
IIS does not GET hidden files
Error establishing a database connection in Google Cloud Platform Wordpress site [closed]
How to find a user in a specific group using wmi
How to implement an achievement system in RoR
UIView vertical flip animation
What is the best way to run ServiceStack on Linux / Mono?
How to access katakana on the Japanese keyboard for the iPhone?
Unable to remove Windows Boot Camp partition
Playing AVI files in macOS using VLC
How to connect to wifi from single-user mode?
How does one add references to tables and diagrams included in a Pages document?