Configure Password Expiration in AD Domain with Group Policy

2.1K

The expiration date of an AD user’s password determines when and how often a user is required to change their domain password. Group Policy is used to configure password expiration in the Active Directory domain. Administrators can improve the security of user and service accounts within organizations by enforcing regular password changes.

If an Active Directory user’s password expires, they won’t be able to log on to the domain or access domain resources until they change their password. The following prompt will appear on the Windows login screen after the user has interactively entered the expired password:

Your password has expired and must be changed.

Configure Password Expiration Settings with Default Domain Policy

By default, the password expiration settings in the domain are configured using the Group Policy Object (GPO).

1. Open the Group Policy Management Console (GPMC.msc) on a domain controller;
2. Expand the Group Policy Objects container, right-click on the Default Domain Policy and select Edit;
   
3. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy. Domain password expiration is configured using is configured using the Maximum password age option. This is the number of days a password can be used before the system requires the domain user to change it. By default, the user account passwords expire after 42 days from the last password change;
   
4. You can edit the default policy value. For example, set the password to expire after 90 days. Save the changes;
   
5. The new value of the password expiration policy will be applied to the DC within 5 minutes. Check new policy settings with the following PowerShell command:

   Get-ADDefaultDomainPasswordPolicy |select MaxPasswordAge:

   

Set the Maximum password age setting to 0 if you want to disable password expiration for users in your domain, so that users’ passwords never expire. In this case, all domain users won’t be required to change their password ever.

How to Get AD User Password Expiration Date

To find out when a specific user’s password expires, you can use PowerShell (requires the PowerShell AD module installed on a computer). Replace alpha with the username you’re need.

Get-ADUser -Identity alpha -Properties "msDS-UserPasswordExpiryTimeComputed" | Select-Object -Property Name, @{Name = "PasswordExpiryDate"; Expression = { [datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed") } }

This command retrieves the password expiration date for a user.

You can list the password expiration dates for all of your AD users at once. In this example, we’ll only list users without the PasswordNeverExpires option enabled:

Get-ADUser -Filter 'PasswordNeverExpires -eq "False"' -Properties PasswordNeverExpires, "msDS-UserPasswordExpiryTimeComputed" | Select-Object -Property Name, @{Name = "PasswordExpiryDate"; Expression = { [datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed") } }

Configuring Fine-Grained Password Expiration Policy

The domain-wide Default Domain Policy sets the same password expiration settings for all users. If you want to apply custom (granular) password expiration for specific user groups or individual user accounts, you should use the Fine-Grained Password Policy (FGPP).

The Fine-Grained Password Expiration policies are configured using the Active Directory Administration Center console.

1. Open the dsac.exe snap-in and navigate to Domain > System > Password Settings Container;
   
2. Under the Tasks pane, click New → Password Settings;
   
3. Provide a unique name for the password policy, precedence, and the maximum password age in days. Disable other policy options that you don’t want to apply;
   
4. Specify the users or groups to whom the policy should apply by adding them to the “Directly Applies To” section. In this example, we added the CA Server Admins group.
   
5. Click OK to save the password policy.

The FGPE policy will now be applied to the specified user or group, providing a custom password expiration policy that differs from the domain-wide settings.

Also, you can create and Appy fine-grained password expiration policy using PowerShell:

# Create the new Fine-Grained password expiration policy

$policySettings = @{

Name = 'Expire Password after 60-days'

MinPasswordAge = '1.00:00:00'

MaxPasswordAge = '60.00:00:00'

Precedence = 1

}

New-ADFineGrainedPasswordPolicy @policySettings

# Display the new Fine-Grained password expiration policy

Get-ADFineGrainedPasswordPolicy $policySettings['Name']

Now, let’s assign this password expiration policy to target users and AD groups. In this example, we’ll apply the policy to the CA DevOps group and the jsmith user account.

# Add new subjects to the password expiration policy.

Add-ADFineGrainedPasswordPolicySubject -Identity 'Expire Password after 60-days' -Subjects 'CA DevOps', 'jsmith'

# Display the password expiration policy subjects.

Get-ADFineGrainedPasswordPolicySubject -Identity 'Expire Password after 60-days'

Does Microsoft Still Recommend Periodic Password Expiration?

In the modern security baseline, Microsoft recommends you to not implement the password expiration policy, because the periodic password expiration may not be as effective as previously thought. Instead, you should use modern tools to help mitigate this, such as Microsoft Entra Password Protection, Multi-Factor Authentication (MFA), etc.