Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How do I deny "password never expires" permission

Status
Not open for further replies.
whyguy

whyguy

MIS
Jan 7, 2003
11
US
Can anyone tell me if I can deny the permission to set a password to never expire? I want to prevent certain people from changing the "password never expires" account setting.
 
Sort by date Sort by votes
Upvote 0 Downvote
No, they are account admins who only create accounts for their OU. We do not allow user accounts with passwords that do not expire, but I am finding some here and there that are being set that way.
 
Upvote 0 Downvote
How to Configure the System to Prevent Users from Changing Passwords Unless Prompted

dsquery user | dsmod user -pwdneverexpires no
You can refine the OU's etc that this command will work on if required by adding an OU's UPN (User principal name). eg

dsquery user CN=users,DC=mydomain,DC=com | dsmod user -pwdneverexpires no

Force a domain password policy to require users to reset the password every XX days.
Do the same things For "Domain Security Policy" also
1. Administrative Tools
2. Domain Security Policy
3. Account Policies
4. Password Policy
5. Maximum password age
5. Check Define this policy setting And "xx" days.

Joseph L. Poandl
MCSE 2003/ MCITP - Enterprise

If your company is in need of experts to examine technical problems/solutions, please contact (Sales@njcomputernetworks.com)
 
Upvote 0 Downvote
Excuse my ignorance, but I don't see how this allows me to deny my account admins the ability to set the "passwords never expire" option. I need them to create and manage accounts in their OU, but not be able to set passwords to never expire.
 
Upvote 0 Downvote
Because if you create a GPO that forces passwords to be changed, they can't set the flag for them never to expire.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

There are no more PDC's! There are DC's with FSMO roles!
 
Upvote 0 Downvote
Our domain security policy already forces passwords to be changed every xx days and that does not appear to affect their ability to set the passwords to never expire.

I am still puzzled that there is not a documented way to deny just that ability.
 
Upvote 0 Downvote
Create a new GPO (NotSetPswdExpire or similar)
Create a new OU and put the users that create the accounts into it.
Attach the GPO to to OU.
 
Upvote 0 Downvote
Also why not create a group that has account operators but cant use the function by using advanced security?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Mohamed-IT
  • Locked
  • Question
Windows server 2019 password locked
Replies
1
Views
78
strongm
strongm
ravalos
  • Locked
  • Question
Problem with PDFs in IIS
Replies
1
Views
465
gbaughma
gbaughma
goombawaho
  • Locked
  • Question
Domain join from wifi connected laptop
Replies
4
Views
365
goombawaho
goombawaho
DrB0b
  • Locked
  • Question
HyperV trying to do extended replica to external HDD
Replies
0
Views
78
DrB0b
DrB0b
penguinroundup
  • Locked
  • Question
programmatically delete all saved passwords for IE for any user
Replies
0
Views
96
penguinroundup
penguinroundup

Part and Inventory Search

Sponsor

Back
Top