Windows Server - Enforce "Password Never Expires" Setting?

Asked By JohnLile on 18-Nov-08 10:02 AM
Does anyone know of a way to use group policy to enforce the user account
setting "password never expires?"  I have an OU that contains only service
accounts, and it's important that these not have their passwords require
periodic change.

I've looked at group policy settings for user configuration and don't find
anything that would accomplish this.  I've also found some possible scripts
to set the "password never expires" attribute, but I don't see how I could
use group policy to push such a script to the service accounts; a logon or
logoff script would seem moot since the service account never actually logs
on to a computer.

Any help would be appreciated!



David replied on 18-Nov-08 10:36 AM
you can only have 1 password policy in a domain, so you could set the
maximum password age to 0 but it would affect all your user accounts in your

If you had windows server 2008, you could utilize the fine grained password
feature.  This feature allows you to configure a different password policy
(called a PSO -password setting object) to a user or group.  You cannot
apply it to an OU, however.

So in your case, you would have to create a shadow group (a group that
includes all the members of an OU), add all your service accounts to the
shadow group, create a PSO that sets the maximum password age to 0, and
apply the PSO to the shadow group that you created.

Take care,

JohnLile replied on 18-Nov-08 01:43 PM
Thanks for the reply.  We'll be migrating to 2008, but not anytime soon.  I
think what I'll try is setting up a script to run periodically through task
scheduler that will flick the checkbox if it isn't set already.

Thanks again.
Florian Frommherz [MVP] replied on 18-Nov-08 02:34 PM

This isn't something Group Policy can do. As you surely already know,
you can tick the "Password expire..." setting so that the password won't
expire at any time. Once it's ticked, it won't expire no matter what the
Password Policy says.

Having said that, make sure you watch out to whom you give account
operators privileges as only those (and domain admins and the like) can
change that setting on the users then.


Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
Maillist (german):