Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How do I deny "password never expires" permission

Status
Not open for further replies.

whyguy

MIS
Jan 7, 2003
11
US
Can anyone tell me if I can deny the permission to set a password to never expire? I want to prevent certain people from changing the "password never expires" account setting.
 
No, they are account admins who only create accounts for their OU. We do not allow user accounts with passwords that do not expire, but I am finding some here and there that are being set that way.
 
How to Configure the System to Prevent Users from Changing Passwords Unless Prompted

dsquery user | dsmod user -pwdneverexpires no
You can refine the OU's etc that this command will work on if required by adding an OU's UPN (User principal name). eg

dsquery user CN=users,DC=mydomain,DC=com | dsmod user -pwdneverexpires no

Force a domain password policy to require users to reset the password every XX days.
Do the same things For "Domain Security Policy" also
1. Administrative Tools
2. Domain Security Policy
3. Account Policies
4. Password Policy
5. Maximum password age
5. Check Define this policy setting And "xx" days.

Joseph L. Poandl
MCSE 2003/ MCITP - Enterprise

If your company is in need of experts to examine technical problems/solutions, please contact (Sales@njcomputernetworks.com)
 
Excuse my ignorance, but I don't see how this allows me to deny my account admins the ability to set the "passwords never expire" option. I need them to create and manage accounts in their OU, but not be able to set passwords to never expire.
 
Because if you create a GPO that forces passwords to be changed, they can't set the flag for them never to expire.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

There are no more PDC's! There are DC's with FSMO roles!
 
Our domain security policy already forces passwords to be changed every xx days and that does not appear to affect their ability to set the passwords to never expire.

I am still puzzled that there is not a documented way to deny just that ability.
 
Create a new GPO (NotSetPswdExpire or similar)
Create a new OU and put the users that create the accounts into it.
Attach the GPO to to OU.
 
Also why not create a group that has account operators but cant use the function by using advanced security?
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top