Active Directory: Reset Expiry Date of an expired Password

Many companies have a policy that require their users to change their passwords regularly (e.g. every 90 days). In Active Directory, this is normally enforced via Group Policy.

This works well, but can be problematic if the user is out of the office while the password expires. An example: If he or she is using a mobile phone to access company emails via ActiveSync, the access will be blocked once the password has expired. ActiveSync does not support password changes, so the user has no way to get his or her mail working again.

One possible solution is to have the user call the company's service desk and have them reset his or her password to a standard one. On the ActiveSync device this new password would have to be entered and then mail flow would start again. Once back in the office, the user would have to set the password to something secret again.

While possible, this solution has some drawbacks and also some security and compliance implications.

A better solution is to have the service desk do the following:

  • Go to the user object in AD Users and Computers
  • On the "Account" tab, tick "User must change password at next logon"
  • Click "Apply"
  • Un-tick "User must change password at next logon"
  • Click "Apply"

This will un-expire the password and reset the expiry date to the full period (e.g. 90 days).

Leave a Reply

Your email address will not be published. Required fields are marked *