Accounts Password Stays Expired After Group Policy Change

password windows-server-2003 group-policy

Let's say I have a group policy that sets the maximum password age at 90 days. Some user doesn't change their password for 91 days, so their password should be expired.

If I then remove that group policy to make the max password age not defined, will that account still be expired? In other words, when that user logs in again, should they still be required to change their password?

I would think not, but I seem to be observing the exact opposite behavior on our domain controller; that is, after I change the group policy setting and login with an account whose password had expired, I still get prompts about it.

Does anyone know for sure either way, or is there something else I'm missing?


Once a password is expired that is it. They will be prompted to change it. Even if you change the group policy. The reason is because the account has a flag get set that says "change password on next login"

You could go into the User & Groups Manager and set the user back to not expired password.


This stumped me and was hard to google for, so I'm posting the answer I found on this question because it was one of the only results.

My issue was very similar to the OP, whereby I was trying to disable password expiry completely, and attempted to do so by setting Default Domain Policy > Computer Configuration > Policies > Windows Settings > Security Settings > Account Policy > Password Policy > Max Password Age to Undefined in the Default Domain Policy. Over the next couple of months, user passwords were still expiring, and I double checked group policy results and rsop.msc numerous times to try track it down.

In the end I found that to disable password expiry, you need to set Max Password Policy to Enabled with value 0 days (instead of Undefined) (as per the documentation on the Explain tab - derp).

What helped me reach this conclusion was checking the expiry of all account passwords using this query:

Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} `
–Properties "SamAccountName","msDS-UserPasswordExpiryTimeComputed" | Select-Object -Property "SamAccountName", @{Name="Password Expiry Date"; `
Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}} | FT

the results looked like this

PS C:\Windows\system32> Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} `
>>  –Properties "SamAccountName","msDS-UserPasswordExpiryTimeComputed" |
>> Select-Object -Property "SamAccountName", @{Name="Password Expiry Date"; `
>> Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}} | FT

SamAccountName       Password Expiry Date
--------------       --------------------
Administrator        2021-08-03 2:19:56 PM
User1.Surname1       2021-08-14 9:19:46 AM
User2.Surname2       2021-08-07 8:22:44 AM
User3.Surname3       2021-08-01 9:49:09 AM
User4.Surname4       2021-08-14 9:30:55 AM
etc.

After updating the policy to Enabled - 0 days, I ran the query again, and this time results showed no expiry on any account.

SamAccountName       Password Expiry Date
--------------       --------------------
Administrator        
User1.Surname1       
User2.Surname2       
User3.Surname3       
User4.Surname4        
etc.

Related

DNS Server on Fedora 11
Alias to twisted server content?
Securing access to certain pages/directories with Apache behind a Varnish cache?
Certbot LetsEncrypt Sending Scary Email, Not Sure If Auto-Renewal Is Working
Remove Old Server2008 DC Offsite
Dynamic authentication realms in Apache
How to synchronize the timing of two or more distributed wireless nodes?
Looking for a solution to allow a regular app to run as a service
Backup Internet Providers?
SAN + MySQL replication- is that what I want for my load-balanced Drupal cluster?
MSSQL 2005 on port 1433 gets DOS from infected servers
How to mount a drive with read only permission