9

One can enable password expiration (aka password maximum age) on a Windows domain.

I'm a little puzzled though about the meaning of that so-called expiration: It looks like the password does not truly expire. Simply, upon first login after "expiration", user must modify his password. In other words, if password expires on Nov 18, one can still log in on Nov 20 (but must then immediately modify his/her password).

The user account is not locked (or any other similar state) upon the date of expiration.

Is this correct? Or did I miss something?

Joseph Quinsey
  • 222
  • 6
  • 17
Serge Wautier
  • 419
  • 1
  • 5
  • 16
  • This is one of those things where the determination has to be made as to what is meant by the word "expired". Is the password expired? Well, the user can initiate an interactive session but they are forced to immediately change their password. They cannot access any domain resources or complete the logon until they change their password. Does that meet the definition of the word "expired"? Also, an expired password and a locked account are two independent things. One doesn't necessarily rely on the other. – joeqwerty Nov 18 '13 at 18:14

1 Answers1

8

Yes that is true, the user is not actually locked out or disabled once the password expires, the user is simply forced to change their password once they log on after the expiration date.

If you need the user to actually be unable to log in after an expiration date, you can set the user account itself to expire after a certain date. But not in a dynamic way. If you wanted to, say, automatically disable the user account after they have not logged in for over 90 days, you would need to script that with (for instance) Powershell.

Ryan Ries
  • 55,011
  • 9
  • 138
  • 197
  • 2
    The user account isn't locked but the user is forced to change the password, which means they can't access any domain resources until they do. That might not meet the strict definition of the word "expired" but for all intents and purposes the password is no longer valid for accessing domain resources. – joeqwerty Nov 18 '13 at 17:56
  • This is true. I can still log on to an interactive session however and be greeted with a "change your password now" prompt. – Ryan Ries Nov 18 '13 at 17:58
  • 2
    You can't complete the interactive login portion without changing the password, and you can't access any resources. It's not a grace period : that expired password allows you to do one thing, which is change it. – mfinni Nov 18 '13 at 18:21