The "Password Expiration Policy" defines the number of days that users can use the same password before it expires. In domain environments, the default password expiration time is 42 days, which means that after that time users must change their password to continue using their computer and access network resources.
This guide contains step-by-step instructions on how to change the default "Maximum password age", or to disable the password expiration policy on a Active Directory Domain 2012/2016. *
* Note: To change the password expiration on Windows 10 & Standalone Server 2016/2012, read this article: How to Set Password Expiration Date on Windows 10 & Server 2016/2012 Standalone Servers.
How to Change or Disable Password Expiration Policy in Active Directory.
1. In Active Directory Domain Controller, open the Server Manager and then from Tools menu, open the Group Policy Management. *
* Additionally, navigate to Control Panel -> Administrative Tools -> Group Policy Management.
2. Under Domains, select your domain and then right click at Default Domain Policy and choose Edit.
3. Then navigate to:
- Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy
4. At the right pane, double-click at Maximum password age.
5. Now check the Define this policy setting and depending on what you want, apply the corresponding action below:
a. To Modify the Number of days before the passwords expires, type for how many days the same password can be used before the user is forced to change it (e.g. to 180 days = 6 months), and click OK.
b. To Disable the Password Expiration Policy, so that the Password Never Expires, set this number to Zero (0) and click OK. (By setting the value to 0, all the domain accounts won’t be required to change password ever).
* Notes: The "Maximum password age" setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999.
6. Finally, open Command Prompt as Administrator and give the following command to update the group policy or restart the AD server.
- gpupdate /force
ADDITIONAL NOTE – HELP:
If you have changed the "Maximum Password Age" as described above, and the policy doesn't apply for a user:
1. Open Active Directory Users and Computers.
2. Select the Users group on the left pane.
3. At the right pane, right-click at the user which the policy doesn't work and select Properties.
4. At Account tab, uncheck the Password never expires option and click OK.
That's it! Let me know if this guide has helped you by leaving your comment about your experience. Please like and share this guide to help others.