Password never expires-can't force user to change password

I have a user's password set to never expire and Active Directory is telling
me that because of that, I can't force the user to change their password at
next logon. I understand the concept, but can someone verify that in fact if
a password never expires you can't force a password change? Is this how AD
handles passwords? Must there be a potential expiration date in order to
force a user to change their password? Thanks for the help!

Works as you explained.

Just temp set it to expire and then go back a week later and make it
non-expiring again.

--

Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.



"Marsha" <Marsha@discussions.microsoft.com> wrote in message
news:B9B6BCC0-B548-47E6-9E20-255415BF0A0A@microsoft.com...
> I have a user's password set to never expire and Active Directory is
telling
> me that because of that, I can't force the user to change their password
at
> next logon. I understand the concept, but can someone verify that in fact
if
> a password never expires you can't force a password change? Is this how
AD
> handles passwords? Must there be a potential expiration date in order to
> force a user to change their password? Thanks for the help!

Hi Marsha:

When the checkbox to "Password Never Expires" is set, a user can change
their password from any PC connected to the domain (CTRL+ALT+Delete | Change
Password). Setting that checkbox means that the current password cannot be
changed by user. You have to remove the checkbox in Password Never Expires",
set the "Change Password At Next Logon" and then reset it after the user has
changed their password.
Refer to article: http://support.microsoft.com/?kbid=282479

As an aside, it is not good Security practice to set the option of "Password
Never Expires" for any user.

-MentalFloss

"Marsha" wrote:

> I have a user's password set to never expire and Active Directory is telling
> me that because of that, I can't force the user to change their password at
> next logon. I understand the concept, but can someone verify that in fact if
> a password never expires you can't force a password change? Is this how AD
> handles passwords? Must there be a potential expiration date in order to
> force a user to change their password? Thanks for the help!

The mechanism for forcing a user to change password is a password expiration. It
actually forces a zero into the pwdLastSet attribute. This forces the system to
require a new password UNLESS the account is set to never expire.

There is almost never a good reason to have an account set to never expire and
tons of good reasons not to do it. You should probably reconsider your stance on
having that set. It is usually only laziness that causes it to be set in the
first place.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Marsha wrote:
> I have a user's password set to never expire and Active Directory is telling
> me that because of that, I can't force the user to change their password at
> next logon. I understand the concept, but can someone verify that in fact if
> a password never expires you can't force a password change? Is this how AD
> handles passwords? Must there be a potential expiration date in order to
> force a user to change their password? Thanks for the help!

Thanks for the help. Unfortunately, I have to set it to never expire so that
I can control the implementation of our password policy. Hopefully it won't
take long to roll it out and the 'password never expires' checkbox will not
be an issue. I appreciate the feedback!


"Paul Bergson" wrote:

> Works as you explained.
>
> Just temp set it to expire and then go back a week later and make it
> non-expiring again.
>
> --
>
> Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
>
> "Marsha" <Marsha@discussions.microsoft.com> wrote in message
> news:B9B6BCC0-B548-47E6-9E20-255415BF0A0A@microsoft.com...
> > I have a user's password set to never expire and Active Directory is
> telling
> > me that because of that, I can't force the user to change their password
> at
> > next logon. I understand the concept, but can someone verify that in fact
> if
> > a password never expires you can't force a password change? Is this how
> AD
> > handles passwords? Must there be a potential expiration date in order to
> > force a user to change their password? Thanks for the help!
>
>
>

Please see my previous post. At this time, I am unaware of any other option
to control a domain password policy than at the user account level. If
anyone knows of another way, please let me know. We want to implement it OU
by OU or user by user is requested. This is the only method I know of at
this point.


"Joe Richards [MVP]" wrote:

> The mechanism for forcing a user to change password is a password expiration. It
> actually forces a zero into the pwdLastSet attribute. This forces the system to
> require a new password UNLESS the account is set to never expire.
>
> There is almost never a good reason to have an account set to never expire and
> tons of good reasons not to do it. You should probably reconsider your stance on
> having that set. It is usually only laziness that causes it to be set in the
> first place.
>
> joe
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
> Marsha wrote:
> > I have a user's password set to never expire and Active Directory is telling
> > me that because of that, I can't force the user to change their password at
> > next logon. I understand the concept, but can someone verify that in fact if
> > a password never expires you can't force a password change? Is this how AD
> > handles passwords? Must there be a potential expiration date in order to
> > force a user to change their password? Thanks for the help!
>