Password Expiration

Issue

A local account that has a setting of Password never expires will override the Maximum Password Age setting in the Password policy in Group Policy, thereby enabling a user to keep the same password forever.

Also, the Password never expires setting will override the User must change password at next logon setting, which allows an administrator to know the passwords of all the accounts that they create. This is a critical security issue. To ensure that account level security access and monitoring can be enforced, administrators should not know the passwords of their users.

Solution

Any local accounts identified in the security report as having non-expiring password should be reviewed to ensure that the Password never expires setting is not selected.

Instructions

To clear the Password never expires setting in Windows XP or Windows 2000

1. Click Start, point to Settings, and then click Control Panel.
2. Double-click Administrative Tools, and then double-click Computer Management.
3. Double-click the Local Users and Groups folder, and then click the Users folder.
4. In the right pane, double-click the account that you want to change.
5. In the Administrative Properties dialog box, clear the Password never expires check box.

To clear the Password never expires setting in Windows NT

1. Click Start, point to Programs, and then click Administrative Tools.
2. Click User Manager for Domains.
3. Under the User menu, click Select Domain, and then type the local computer name.
4. Double-click the account that you want to change.
5. In the User Properties dialog box, clear the Password never expires check box.

⌐ 2002 Microsoft Corporation. All rights reserved.