Does the password truly expire?

password windows password-policy

One can enable password expiration (aka password maximum age) on a Windows domain.

I'm a little puzzled though about the meaning of that so-called expiration: It looks like the password does not truly expire. Simply, upon first login after "expiration", user must modify his password. In other words, if password expires on Nov 18, one can still log in on Nov 20 (but must then immediately modify his/her password).

The user account is not locked (or any other similar state) upon the date of expiration.

Is this correct? Or did I miss something?


Solution 1:

Yes that is true, the user is not actually locked out or disabled once the password expires, the user is simply forced to change their password once they log on after the expiration date.

If you need the user to actually be unable to log in after an expiration date, you can set the user account itself to expire after a certain date. But not in a dynamic way. If you wanted to, say, automatically disable the user account after they have not logged in for over 90 days, you would need to script that with (for instance) Powershell.

Related

How to use systemd-firstboot.service?
What tense should I use for describing an ongoing action which has started a long time ago? [closed]
How is "victualling" pronounced?
What is the proper abbreviation for "version"? (in English and Japanese literature)
Use "of" or "for" with Institute, Department, Office...?
Why is it "either . . . or" and "neither . . . nor"?
Proper placement of suffix while using the first name only
How to call attention to "I" without "I myself" or the pretentious "even I"?
"Same to" or "same as"
"There are two parts on this spreadsheet" vs. "there are two parts in this spreadsheet"
Can "here" be an adjective? [duplicate]
Use of 'Much as' [closed]