0
This will change the password policy for all existing users:
net accounts /maxpwage:30
I only want to change the password policy for the one user. How do I do that?
undrline
Posted 2018-11-08T19:11:02.853
Reputation: 449
Windows 10 Password expiration for an individual user
Answers
0
The feature Password expires only works with the policy Password expires. So you need to set that too, which indeed is set for every user unless they have Password Never Expires set to true. But that only makes it so that they get to change the password after it expires, which is not what you want. They can also just edit their user and disable this if they want, given they're admin on that machine.
Instead, you can set an end date on the account itself and basically it can't be used after that date. This feature is unfortunately only part of a domain user, not a local user, but this really is the best way to do this.
An alternative is to create a script that disables the user, and setup a task using Task Scheduler to execute that script at a given time. This has its caveats too, as they can disable it if they find it.
If they access the machines through RDP remotely the easiest is to setup a 2nd port forwarding to the machines, probably through 1 pc with a different port, then you can just disable that port forwarder
LPChip
Posted 2018-11-08T19:11:02.853
Reputation: 42 190
I would like to point out that very rarely does anyone actually need Administrator permissions. You can create a user group, that can install software, you don't have to literally provide full administrator access to a third-party. If you are using Active Directory domain, just remember you can simply create a local profile, that only exists on that machine. This would prevent that local account from accessing your network, provided your configuration, allows for you to only allow access to domain users. – Ramhound – 2018-11-08T19:51:30.373
@Ramhound if you setup the user correctly in Active Directory, you can disallow network access from there too. The difference between a local user and a domain user is the fact that if you have to do this for 100 machines, you need to visit every machine for every change, whereas with a domain user, you manage everything centrally, which is what you normally want in this case. As for requiring administrative privileges, it depends, some programs use a service and then you really do need administrative privileges. – LPChip – 2018-11-08T20:03:33.450
I didn't see it was "remote machines" which makes using a local account more difficult. My comment was more of, "does this third-party actually need Administrator right or are they simply asking for it", more of a thought activity to the author. – Ramhound – 2018-11-08T20:08:22.577
@Ramhound right. :) I guess your 2nd comment will be helpful here. :) – LPChip – 2018-11-08T20:10:20.683
@LPChip well said ... they are using a service. I was using the term "software" very loosely. Please see my comment above about a possible workaround ... does PasswordExpires only have two states, or is there technically a not set or null state? What is the default? – undrline – 2018-11-08T21:47:32.227
There isn't a default. When you make a user, you have to set whether the password can be expired or not. It has only 2 states. Well, technically 3. You can set the password can expire option on a user, but then not configure the policy behind it, it would not expire. There is no per user option, unless you disable the password expire option for all other users. Again, what you want should be done differently. – LPChip – 2018-11-09T08:06:38.313
The external vendor abusing admin rights while they have them is not a concern. The reason I was given: they work in tandem with the day-to-day, and have a litany of contracts to hold them in place. Whether I agree doesn't matter. I've edited to pare down to my essential question. – undrline – 2018-11-08T20:31:48.297
Is the computer in a domain or no domain? – I say Reinstate Monica – 2018-11-08T20:54:13.643
@TwistyImpersonator it is remotely accessed via tools like teamviewer/logmein/etc ... every center is its own isolated network, setup however, and I wouldn't be making use of things like ActiveDirectory. – undrline – 2018-11-08T21:00:18.533
I'm not asking if you have access to AD, but whether the device is a domain member. The answer significantly affects how password policies work. – I say Reinstate Monica – 2018-11-08T21:01:16.907
@TwistyImpersonator I see. Some centers have a domain, some are just a workgroup. So, yes, what I do on a local machine has the potential to be overridden from the get-go. – undrline – 2018-11-08T21:03:22.523
1Note that this is simply impossible for non-domain users. It is only possible for domain users logged into domain-member computers. Is that possible for you? – I say Reinstate Monica – 2018-11-08T21:04:21.747
I think "this is simply impossible for non-domain users" is technically the answer. But between LPChip and your answer, I think there might be a workaround ... would it be possible to loop through existing profiles, determine their current settings for
PasswordExpires(because I assume the values behind the scenes are True, False and not set) and set them? Then a/maxpwagecan be set, knowing accounts will safely ignore my global local setting. Domain is out of the question for me. – undrline – 2018-11-08T21:43:43.140That depends on whether the max pwd age can be configured per-account. To my knowledge that's not possible outside a domain, but I've never tried so it might be possible. – I say Reinstate Monica – 2018-11-08T21:45:53.690
@TwistyImpersonator no, it cannot be set per user. It's a global setting. A simple rule of thumb, You have a general set of rules and AD expands on them. If AD can't do it, it just cannot be done. – LPChip – 2018-11-09T08:04:45.447
Thank you for the edit @TwistyImpersonator ... this makes it more applicable to the general population, though I felt like I had to give more detail upfront. – undrline – 2019-02-01T14:56:08.530