Password Expiration

Issue

A local account that has a setting of Password never expires will override the Maximum Password Age setting in the Password policy in Group Policy, thereby enabling a user to keep the same password forever.

Also, the Password never expires setting will override the User must change password at next logon setting. When users are assigned new passwords by administrators or help desk operators, it is good practice to set the User must change password at next logon option to ensure the user sets a new password.

Caution

Users must not remove the Password never expires settings for the following accounts, because doing so can break application and server functionality:

IUSR_<machinename>
IWAM_<machinename>
TSInternetUser

Solution

Any local accounts identified in the security report as having passwords that do not expire should be reviewed to determine why the option is set, and if it should be removed.

Accounts in the NoExpireOk.txt file (in the MBSA installation folder) will not be reported during the password expiration check. Users can add or remove account names in this file to be skipped during the scan.

Instructions

To clear the Password never expires setting in Microsoft® Windows® Server 2003, Windows XP Professional, and Windows 2000

Open the Control Panel.
Double-click Administrative Tools, and then double-click Computer Management.
Double-click the Local Users and Groups folder, and then click the Users folder.
In the right pane, double-click the account that you want to change.
In the Properties dialog box, clear the Password never expires check box.

To clear the Password never expires setting in Microsoft Windows NT®

Click Start, point to Programs, and then click Administrative Tools.
Click User Manager for Domains.
Under the User menu, click Select Domain, and then type the local computer name.
Double-click the account that you want to change.
In the User Properties dialog box, clear the Password never expires check box.