Can’t change password after domain user password expired? AD password expires while user is away? By default, domain users are required to change their passwords every 42 days, as defined by domain password policy. If you find those password expiry notices annoying, you can set password to never expire for domain accounts in Windows Server 2016, 2012, 2008, 2003.
Before getting started, you can check when your domain account password is going to expire. Just open the Command Prompt as administrator, type the following command and press Enter.
net user domain_account_name /domain
This will display your account information, including when you last changed your password, and when it expires.
Method 1: Set Domain Account Password to Never Expire via GUI
- Press the Windows logo key + R, type dsa.msc and press Enter to open Active Directory Users and Computers Snap-in.
- Expand your domain and click Users in the left pane, you’ll see a list of domain accounts on your server. Double-click on the user you would like to update.
- In the Properties dialog, click the Account tab and check “Password never expires” under the Account options section.
- Click Apply and then OK. Now you’ve successfully disabled the annoying expiration of passwords!
Method 2: Set Domain Account Password to Never Expire via PowerShell
- click Start, click Administrative Tools, and then click Active Directory Module for Windows PowerShell.
- After importing Active Directory module in Powershell, you can type the following script to set your domain password to never expire. Replace pcunlocker with the name of your domain account.
Set-LocalUser -Name "pcunlocker" -PasswordNeverExpires 1
Method 3: Set Domain Account Password to Never Expire via Command Prompt
Open the Command Prompt as Administrator. Type the following command and press Enter. Note: Replace “pcunlocker” with your account name, and adjust the domain name accordingly.
dsmod user "CN=pcunlocker,CN=Users,DC=corp,DC=top-password,DC=com" -pwdneverexpires yes
This would set the password of the domain account “pcunlocker” to never expire.
If you want to disable the password expiration for all accounts in Active Directory, type:
dsquery user "CN=Users,DC=corp,DC=top-password,DC=com" | dsmod user -pwdneverexpires yes
Method 4: Set Password to Never Expire for All Accounts Using Domain Group Policy
- Click the Start button, point to Administrative Tools and then click Group Policy Management.
- In the console tree, expand the Forest and then Domains. Select the domain for which the password policies have to be set. Right-click Default Domain Policy and select Edit.
- It will open Group Policy Management Editor. Navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Password Policy, then double-click the “Maximum password age” setting in the right pane.
- In the Security Policy Setting tab, make sure the “Define this policy setting” option is checked, and specify that passwords never expire by setting the number of days to 0.
- Click Apply and then OK.
Actually, there is much simpler way to modify the “Maximum password age” settings for your default domain policy. Just open the Command Prompt as Administrator, and type:
net accounts /maxpwage:unlimited /domain
Now, all the domain accounts won’t be required to change password ever. If you’re locked out of Windows Server and can’t log on with any domain administrator, then you need to use the AD password utility – PCUnlocker. It can help you reset forgotten Active Directory password and unlock a disabled/expired/locked domain account.