# Password expiration/ Active Directory



## Ckettleborough (Jan 14, 2009)

Hi all

Running windows 2003 server

Want to set user accounts so that their password never expires.
However theres a big number of users who id like to do this with, so would take a long time to set it at a per user basis with the 'password never expires' option- Basically looking for an easier/quicker way to do this.

The users are all set up in their own Organisational Units and Ive seen that you can assign group policys to them.

I have tried to import the current domain policy but it cannot be edidted at that level.

Also tried to create a new policy specifically for the OU's that i would like to change. But by doing this will it overwrite the current domain policy i have on these users/groups etc and only set what is defined in the new policy?

Also is there a specific policy rule which i can change to define the expiration of accounts - i believe the maximum age will only allow a maximum of 998 days - am i right in thinking that?

The more i think about it, i dont think its possible, but masewell ask! Any help/advice would be greatly appreciated.

Thanks
Carl


----------



## Ckettleborough (Jan 14, 2009)

Found that you can assign 2 group policies and put them in order of preference,

however still now sure if theres a specific group policy rule to define password expiration

Cheers


----------



## avisitor (Jul 13, 2008)

This is horrible practice, however, if you really want to do it, the Maximum Password Age policy takes a value of 0-999 days. 0 means that passwords don't expire.


----------



## Colossus610 (Jun 15, 2005)

I am with avisitor in that this is not a recommendable practice, but...
You can also select multiple users in ADU&C, right click--Properties and set the user account flags en masse; Account Expires, Password Never Expires etc.


----------



## Squashman (Apr 4, 2003)

This may help you as well.
http://www.joeware.net/freetools/tools/psomgr/index.htm


----------



## Ckettleborough (Jan 14, 2009)

Thanks all

I created a new policy with just the one entry for 999 password age.
Then added in a second policy below which carries the rest of the rules.

Think im right in thinking that it will use the first policy for the password age rule and then as it sees the rest of the rules are not defined, it will use the domain policy.

Thanks again
Carl


----------



## avisitor (Jul 13, 2008)

Remember, a maximum password age of 0 (unlimited) is longer than a maximum password age of 999.


----------



## Ckettleborough (Jan 14, 2009)

Perfect, thankyou matey ill change now

Cheers all for your input


----------



## truebluexxx (Aug 6, 2007)

I see that you have sorted your problem,but for future reference, a quick way to achieve your goal would have been to type this,

dsquery user -name * | dsmod user -pwdneverexpires yes


----------

