If user passwords are set to automatically expire within a Windows domain, does this have an impact on the force password change checkbox within ADUC?

Question

Assume the following:

A Windows domain has a policy set to ensure that users must reset their passwords every 90 days
A user account (let's refer to it as "UserA") last changed their password just over 3 months ago, and as a result this policy is triggered for their account - forcing a password change at the next login

In this case, if a domain administrator was to open the "Account" tab within the Properties dialog for UserA, would the "User must change password at next login" checkbox be ticked - or is this setting within ADUC not affected by domain password expiry policies?

score 3 · Answer 1 · answered Dec 31 '20 at 14:29

3

It's usually impractical to use the ADUC GUI to query an AD of any relevant size: Using Powershell to find accounts whose passwords are too old provides actionable output across entire OUs or even the entire Directory.

However unless you have contractual obligations to enforce password expiry the current recommendations tend to follow those of NIST; to enforce good and strong passwords, and to not expire user passwords unless there is evidence that an account has been compromised.

answered Dec 31 '20 at 14:29

Mikael H

4,868
2
8
15

Thank you for your thoughts. I'm aware of these recommendations - I was mainly curious as to the impact (if any) that enforcing these policies would have within the ADUC GUI. – elliott94 Dec 31 '20 at 15:24
On that note, I'm annoyed that I can't set "User must change password at next login" and "password never expires" at the same time. – joshudson Dec 31 '20 at 23:29

score 3 · Accepted Answer · answered Dec 31 '20 at 17:05

This checkbox is mostly unrelated to any password expiration policy. The effect of checking that box is setting the pwdlastset attribute to 0; which effectively manually expires a password, and accordingly requires an immediate password change.

This cannot be performed on an account which is configured (on the account, not via policy) to never expire.

If an admin has checked the box, or used Powershell to perform a similar task (Set-AdUser -ChangePasswordAtLogon $true) or another tool, and another admin opens the account properties before the password is changed, the box will appear checked for the other admin. Essentially, it only appears checked when the attribute is either 0 or -1.

To more directly answer the question I think you're asking: no, that checkbox does not reflect a dynamic evaluation of the the date the password was last set, the domain's password policy, a local security policy on the DC, and any Fine-Grained Password Policy to which the account is subject - it is only and simply a tool to manually expire a password, or to tell you that somebody has manually expired the password.

I am not certain what the motivation behind the question is, but if it is to look for accounts with expiring passwords - this checkbox won't help you.

I wouldn't play with that checkbox though in an effort to diangnose/troubleshoot what it does; unchecking that box (when its set) causes the system to update the pwdlastset attribute to the current date and time -- effectively extending the life of the current password.

If user passwords are set to automatically expire within a Windows domain, does this have an impact on the force password change checkbox within ADUC?

2 Answers2