Administrator Password Never Expires

Archived from groups: microsoft.public.win2000.security (More info?)

It would appear when auditing various domains that the Administrator account in the domain has the "password never expires" block checked and the box is disabled (read: greyed out) so that setting cannot be changed to make the domain administrator password expire.

Is there a way to make the account expire (or at least ask/force the account to change the password)?

Thanks in advance!
Jeremy Shelley, MCSE, CISSP

P.S. I know it's not exactly a good idea to have your Domain Administrator account expire but governmental rules are governmental rules.
4 answers Last reply
More about administrator password expires
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    I believe that is hard coded into the operating system and can not be easily
    changed . You can use passprop to lockout that account to
    network logon attempts but never to console logon at a domain controller. In
    Windows 2003 you can disable the built in administrator account except to
    safe mode logon. --- Steve


    "MCSEStretch" <MCSEStretch@discussions.microsoft.com> wrote in message
    news:AE0CFCE4-1925-4B4F-986C-C69F2DC97C42@microsoft.com...
    > It would appear when auditing various domains that the Administrator
    account in the domain has the "password never expires" block checked and the
    box is disabled (read: greyed out) so that setting cannot be changed to
    make the domain administrator password expire.
    >
    > Is there a way to make the account expire (or at least ask/force the
    account to change the password)?
    >
    > Thanks in advance!
    > Jeremy Shelley, MCSE, CISSP
    >
    > P.S. I know it's not exactly a good idea to have your Domain Administrator
    account expire but governmental rules are governmental rules.
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    it could be related to accounts created at OS install. Have you tried to
    create an account and make it member of the same groups? I believe (but I
    have not tested ..) that that way you should be able to set/clear the
    option.

    cheers,

    Marco

    --
    Execute applications with elevated privileges [ www.neovalens.com ]
    --


    "MCSEStretch" <MCSEStretch@discussions.microsoft.com> wrote in message
    news:AE0CFCE4-1925-4B4F-986C-C69F2DC97C42@microsoft.com...
    > It would appear when auditing various domains that the Administrator
    account in the domain has the "password never expires" block checked and the
    box is disabled (read: greyed out) so that setting cannot be changed to
    make the domain administrator password expire.
    >
    > Is there a way to make the account expire (or at least ask/force the
    account to change the password)?
    >
    > Thanks in advance!
    > Jeremy Shelley, MCSE, CISSP
    >
    > P.S. I know it's not exactly a good idea to have your Domain Administrator
    account expire but governmental rules are governmental rules.
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Why not audit the PasswordLastSetTime field to make sure the admins are, in
    fact, following the reg? I use Dumpsec
    (http://www.systemtools.com/somarsoft) to dump the directory listing of user
    accounts to a CSV then import it to MSAccess. Works very well to catch
    admins who set their own accounts' passwords to never expire.

    HTH

    John

    "Steven L Umbach" <n9rou@nscomcast.net> wrote in message
    news:A%hCc.79949$Hg2.47358@attbi_s04...
    > I believe that is hard coded into the operating system and can not be
    easily
    > changed . You can use passprop to lockout that account
    to
    > network logon attempts but never to console logon at a domain controller.
    In
    > Windows 2003 you can disable the built in administrator account except to
    > safe mode logon. --- Steve
    >
    >
    > "MCSEStretch" <MCSEStretch@discussions.microsoft.com> wrote in message
    > news:AE0CFCE4-1925-4B4F-986C-C69F2DC97C42@microsoft.com...
    > > It would appear when auditing various domains that the Administrator
    > account in the domain has the "password never expires" block checked and
    the
    > box is disabled (read: greyed out) so that setting cannot be changed to
    > make the domain administrator password expire.
    > >
    > > Is there a way to make the account expire (or at least ask/force the
    > account to change the password)?
    > >
    > > Thanks in advance!
    > > Jeremy Shelley, MCSE, CISSP
    > >
    > > P.S. I know it's not exactly a good idea to have your Domain
    Administrator
    > account expire but governmental rules are governmental rules.
    >
    >
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    John,

    Thanks for the tip. Any tips for getting the PasswordLastSetTIme value for the various accounts? (sorry, I'm not a programmer except for a smattering of VB).

    Also, I thought DumpACL just retrieved the DACLs and SACLs, not user account information.

    Your help is most appreciated.

    Jeremy

    "John Wessell" wrote:

    > Why not audit the PasswordLastSetTime field to make sure the admins are, in
    > fact, following the reg? I use Dumpsec
    > (http://www.systemtools.com/somarsoft) to dump the directory listing of user
    > accounts to a CSV then import it to MSAccess. Works very well to catch
    > admins who set their own accounts' passwords to never expire.
    >
    > HTH
    >
    > John
    >
    > "Steven L Umbach" <n9rou@nscomcast.net> wrote in message
    > news:A%hCc.79949$Hg2.47358@attbi_s04...
    > > I believe that is hard coded into the operating system and can not be
    > easily
    > > changed . You can use passprop to lockout that account
    > to
    > > network logon attempts but never to console logon at a domain controller.
    > In
    > > Windows 2003 you can disable the built in administrator account except to
    > > safe mode logon. --- Steve
    > >
    > >
    > > "MCSEStretch" <MCSEStretch@discussions.microsoft.com> wrote in message
    > > news:AE0CFCE4-1925-4B4F-986C-C69F2DC97C42@microsoft.com...
    > > > It would appear when auditing various domains that the Administrator
    > > account in the domain has the "password never expires" block checked and
    > the
    > > box is disabled (read: greyed out) so that setting cannot be changed to
    > > make the domain administrator password expire.
    > > >
    > > > Is there a way to make the account expire (or at least ask/force the
    > > account to change the password)?
    > > >
    > > > Thanks in advance!
    > > > Jeremy Shelley, MCSE, CISSP
    > > >
    > > > P.S. I know it's not exactly a good idea to have your Domain
    > Administrator
    > > account expire but governmental rules are governmental rules.
    > >
    > >
    >
    >
    >
Ask a new question

Read More

Security Domain Microsoft Windows