
	Home > Ask the Security Experts > Identity Management and Access Control Questions & Answers > How does the Group Policy Object interact with the 'Password Never Expires' flag?

Ask The Security Expert: Questions & Answers

EMAIL THIS

How does the Group Policy Object interact with the 'Password Never Expires' flag?

EXPERT RESPONSE FROM: Joel Dubin

		Pose a Question

		Other Security Categories

		Meet all Security Experts
		Become an Expert for this site

Digg This!

StumbleUpon

Del.icio.us

QUESTION POSED ON: 07 August 2008
My organization has some accounts with the 'Password Never Expires' flag set and some without that setting. Among other settings, the Group Policy Object in Active Directory will set the maximum age of a password to 180 days. When the Group Policy Object is applied, what happens to these accounts? Will all accounts be asked to reset their passwords immediately at next login or in 180 days?

EXPERT RESPONSE
The Group Policy Object in Active Directory affects existing accounts only when users try to change or update their passwords earlier than the maximum password age of 180 days. Otherwise, they'll be asked to reset their passwords in 180 days, not at the next login.

The clock starts ticking whenever the maximum age is set in the Group Policy Object. However, if individual accounts are set in an organization -- whether to never expire or some other setting -- the Group Policy Object setting in Active Directory will take precedence for all registered accounts. The only exception is systems older than Windows 2000, which don't support Active Directory password management.

Policies can be set for individual workstations or the entire domain, but should be set at the domain level to keep security consistent throughout the network. Active Directory manages password age through the Group Policy Objects editor of its administrative GUI. It can also manage password history, length and complexity.

Password policies, including password age, should be based on a thorough risk assessment of corporate systems and applications. Those with high-risk data, such as customer data or proprietary company information, should have tighter access control policies, meaning more frequent password expirations.

Make sure to have a consistent policy across the organization for password age and expiration, and put it in writing in accordance with corporate IT security standards.

More information:

Should users set up password expiries in Active Directory? Learn more.
Read about the pros and cons of using stand-alone authentication that is not Active Directory-based.

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Identity Management and Access Control
	What are the options for a mechanical (not electrical) door security system on a server room door?
	What's the difference between access control mechanisms and identity management techniques?
	What courses can improve fundamental knowledge of infrastructure systems (Active Directory, LDAP, etc.)?
	What tools provide user provisioning and single sign-on for PeopleSoft- and Unix-based products?
	Should a new user have to confirm his or her email address before gaining access?
	Can home PCs provide a way for viruses and spyware to enter a corporate LAN?
	What should an enterprise look for in a password token, and in a vendor?
	Is it possible to write a batch file that allows user access to the local admin group for a short time?
	IAM best practices for employees with varying degrees of access to the same computer
	What are some good pre-boot biometric user authentication tools or strategies?

Password Management

ID and password authentication: Keeping data safe with management and policies

New Sun product illustrates identity management trend

Sun launches open source OpenSSO for identity management

Shared Identity Providers Could Soothe Password Chaos

What are the benefits of identity managed as a service?

What are best practices for remote management of medical imaging devices?

What kinds of new 'picture password' technologies are available for mobile devices?

Trends in enterprise identity and access management

Is it illegal for anyone in an enterprise to ask an employee for his or her password?

Societe Generale bolsters internal controls, discovers second insider

Directory Services

What courses can improve fundamental knowledge of infrastructure systems (Active Directory, LDAP, etc.)?

Directory services and beyond: The future of LDAP

What are the benefits of identity managed as a service?

Enterprise role management: Trends and best practices

How can I retrieve and restore a deleted user account in Active Directory?

Identity Management Suites Enable Integration, Interoperability

What should an internal support model for identity management look like?

Security360: Identity management market

Information protection: Using Windows Rights Management Services to secure data

IBM releases simplified Tivoli Identity Manager

Directory Services Research

RELATED GLOSSARY TERMS

Terms from Whatis.com − the technology online dictionary

graphical password (SearchSecurity.com)

identity chaos (SearchSecurity.com)

logon (SearchSecurity.com)

OpenID (WhatIs.com)

passphrase (SearchSecurity.com)

password (SearchSecurity.com)

shadow password file (SearchSecurity.com)

single-factor authentication (SFA) (SearchSecurity.com)

TACACS (SearchSecurity.com)

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

Find Security Solutions for Your Business
Targeted Security Channel Tips for Resellers, Integrators and Consultants

View this month\\'s issue and subscribe today.

Apply online for free conference admission.

SEARCH :

Site Index

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.


TechTarget Corporate Web Site \| Media Kits \| Reprints \| Site Map All Rights Reserved, Copyright 2003 - 2008, TechTarget \| Read our Privacy Policy