Q

Do the Group Policy Object and 'Password Never Expires' flag interact?

How does the Group Policy Object interact with the 'Password Never Expires' flag in Active Directory? Identity and access management expert Joel Dubin explains.

My organization has some accounts with the 'Password Never Expires' flag set and some without that setting. Among other settings, the Group Policy Object in Active Directory will set the maximum age of a password to 180 days. When the Group Policy Object is applied, what happens to these accounts? Will all accounts be asked to reset their passwords immediately at next login or in 180 days?

The Group Policy Object in Active Directory affects existing accounts only when users try to change or update their passwords earlier than the maximum password age of 180 days. Otherwise, they'll be asked to reset their passwords in 180 days, not at the next login.

The clock starts ticking whenever the maximum age is set in the Group Policy Object. However, if individual accounts are set in an organization -- whether to never expire or some other setting -- the Group Policy Object setting in Active Directory will take precedence for all registered accounts. The only exception is systems older than Windows 2000, which don't support Active Directory password management.

Policies can be set for individual workstations or the entire domain, but should be set at the domain level to keep security consistent throughout the network. Active Directory manages password age through the Group Policy Objects editor of its administrative GUI. It can also manage password history, length and complexity.

Password policies, including password age, should be based on a thorough risk assessment of corporate systems and applications. Those with high-risk data, such as customer data or proprietary company information, should have tighter access control policies, meaning more frequent password expirations.

Make sure to have a consistent policy across the organization for password age and expiration, and put it in writing in accordance with corporate IT security standards.

 

This was first published in August 2008

Dig deeper on Password Management and Policy

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close