If user passwords are set to automatically expire within a Windows domain, does this have an impact on the force password change checkbox within ADUC?

password windows active-directory mmc password-policy

Solution 1:

This checkbox is mostly unrelated to any password expiration policy. The effect of checking that box is setting the pwdlastset attribute to 0; which effectively manually expires a password, and accordingly requires an immediate password change.

This cannot be performed on an account which is configured (on the account, not via policy) to never expire.

If an admin has checked the box, or used Powershell to perform a similar task (Set-AdUser -ChangePasswordAtLogon $true) or another tool, and another admin opens the account properties before the password is changed, the box will appear checked for the other admin. Essentially, it only appears checked when the attribute is either 0 or -1.

To more directly answer the question I think you're asking: no, that checkbox does not reflect a dynamic evaluation of the the date the password was last set, the domain's password policy, a local security policy on the DC, and any Fine-Grained Password Policy to which the account is subject - it is only and simply a tool to manually expire a password, or to tell you that somebody has manually expired the password.

I am not certain what the motivation behind the question is, but if it is to look for accounts with expiring passwords - this checkbox won't help you.

I wouldn't play with that checkbox though in an effort to diangnose/troubleshoot what it does; unchecking that box (when its set) causes the system to update the pwdlastset attribute to the current date and time -- effectively extending the life of the current password.

Solution 2:

It's usually impractical to use the ADUC GUI to query an AD of any relevant size: Using Powershell to find accounts whose passwords are too old provides actionable output across entire OUs or even the entire Directory.

However unless you have contractual obligations to enforce password expiry the current recommendations tend to follow those of NIST; to enforce good and strong passwords, and to not expire user passwords unless there is evidence that an account has been compromised.

Related

Identify/block pornographic content in Images
Ruby and "You must recompile Ruby with OpenSSL support or change the sources in your Gemfile"
Python - time difference in milliseconds not working for me
Terminate docker compose when test container finishes
Where do tabindex="0" HTML elements end up in the tabbing order?
Calculating image size ratio for resizing
How to disable a log.Logger
Stopping supervisord: Shut down
How is a pivot table created by Laravel?
Drop table in old version of SQLite where IF EXISTS is not supported
How to round off Float values? [duplicate]
How to style an image tag in Ruby on Rails