Active Directory account passwords are usually set to expire (for example: every 90 days) in most organizations. Configuring an AD account with PasswordNeverExpires is not recommended due to security. There might be a time where you need to extend an active directory account’s current password expiration date without changing the password expiration policy or changing the user’s password. Password expiration is controlled by a group policy setting named maximum password age. After the policy is applied to the domain, the system will check the pwdlastset attribute of the user objects. The attribute records the time when the user’s password is set. Following the procedures below, you can reset that date to extend a user’s password.
How To Reset Active Directory User Password Expiration Date
- Open Active Directory Users and Computers and select Advanced Features under the View tab.
- Navigate to the Users account and select its properties.
- Click the Attribute Editor tab.
- NOTE: If you still don’t see Attribute Editor, click on Start and search for ADSI Edit, then navigate to the Users account, right-click on it and select Properties, this will bring you to the Attribute Editor.
- Scroll the attribute values and select the pwdLastSet field. Modify it by entering 0 (zero) in the value field. Click OK. This sets the value to (Never) as in the password has never been set. Click OK on the User Account Properties box.
- Go to the the User’s Account Properties again. Go back to the Attribute Editor tab. Select pwdLastSet attribute and modify it with a value of -1. This will set the value to today’s date. Click OK twice.
