I have a customer who's users all access the solution via RDP and whom are all set to 'password never expires' in AD.
We're enforcing a password expiration policy and introducing a self-serve credential manager to allow the users to change their password in the event that it expires.
I've noticed, however, that as soon as I uncheck 'password never expires' for a user, that user is immediately unable to log in.
If I try the account locally, I'm advised that the password has expired.
If I go into AD and change the password, the account can log in once more.
If I had to guess, I'd say that Windows is probably recognising that my current password is greater than X days old or something.
Its worth mentioning aswell that the 'account expires' option is still set to 'Never', but that i've tried adjusting this to the future and it made no difference.
What I really want to do is wind back the clock so that when I uncheck the 'password never expires' option, the users have like a short period… perhaps 7 days or so in which to update their password before they expire and they are unable to log in, but during which they can keep and use their existing password.
Any help is appriciated 🙂
Best Answer
pwdLastSet attribute is used to calculate the password age.
The value is protected, and the only value you can set there is 0 or -1.
The value you look for is -1, the system will put the pwdLastSet to the current date/time. Thus the 90 days, or any defined time period, will start again from the start.
0 would do the opposite, it would expire the password right now.
You set it to 0, manually or with a script, you then set it to -1 and uncheck the Never Expire option after for the account.
Example, before;
After the set to 0, and -1;