Active Directory password expired. If I set it to never expire, can the user keep the same password?

password windows active-directory

One of our users is currently overseas, and her Active Directory domain password expired. She's logging on with a laptop using cached credentials and (non-AD integrated) VPN, but she can't logon to file shares or Outlook with the expired password. If I change the password, I'm concerned it's going to create cached logon problems for her with the laptop, which I won't be able to fix while she's eight time zones away. The flag that says she must change her password is already set. If I set her password to never expire, will that prevent her from having to change the password, or must she change it no matter what I do?

A similar question here indicates that setting the account to Never Expire would work, but I'd like some confirmation.

Edit: The password never expire setting would only be in place until she returns to the office. I'm just trying to allow her back into the system while she's away, without making the problem worse.

Final edit: Setting the "Never expire" flag fixed the problem. The user will keep her existing password until she returns next week.


Yes, I have done this many times. If the password is already expired, checking the "Password Never Expires" checkbox will un-expire the password until the user is located on a site with a DC.


To keep the old expired password simply reset it using the management console and set it to never expire, as you said. I will not go into all the reasons most of us would not do so, as I assume you have your own reasons for doing what you do.


While not a direct answer to your question. This is how you take care of the cached credentials being out of sync when a user is using vpn.

Go ahead and reset her password for her - but don't force change on next login. Have her log into the laptop with the current cached credentials, then VPN into your network. once she is vpn'd in have her lock the computer, then unlock the computer with the NEW credentials. This will update the local cache and allow her to log into the machine with then new password, and let you NOT set the password never expires flag. She could continue to use that password until it expires like normal.

Related

Use local tools to monitor remote logs
Evaluating expressions in windows batch script
How to redirect traffic to one IP to a different IP on Windows Server 2008
syncing a Dropbox to a linux server?
What's the difference between mx: and include: in SPF records?
Wireshark and IPSec
How can I migrate Dovecot from one server to another?
ip static route, make changes permanent/persistent upon reboot
Is it safe to stop a fsck in progress?
How to disable apache logging when accessing certain directories?
Root, Local and Authoritative name server?
How do most small businesses acquire Office licenses?