Configure Password Expiration in AD Domain with Group Policy

The expiration date of an AD user’s password determines when and how often a user is required to change their domain password. Group Policy is used to configure password expiration in the Active Directory domain. Administrators can improve the security of user and service accounts within organizations by enforcing regular password changes.

If an Active Directory user’s password expires, they won’t be able to log on to the domain or access domain resources until they change their password. The following prompt will appear on the Windows login screen after the user has interactively entered the expired password:

Your password has expired and must be changed.

gpo password expiration

Configure Password Expiration Settings with Default Domain Policy

By default, the password expiration settings in the domain are configured using the Group Policy Object (GPO).

  1. Open the Group Policy Management Console (GPMC.msc) on a domain controller;
  2. Expand the Group Policy Objects container, right-click on the Default Domain Policy and select Edit;
    group policy password expiration
  3. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy. Domain password expiration is configured using is configured using the Maximum password age option. This is the number of days a password can be used before the system requires the domain user to change it. By default, the user account passwords expire after 42 days from the last password change;
    gpo set password expiration
  4. You can edit the default policy value. For example, set the password to expire after 90 days. Save the changes;
    password expiry gpo
  5. The new value of the password expiration policy will be applied to the DC within 5 minutes.