Sign in with
Sign up | Sign in
Your question

Administrator Password Never Expires

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
June 23, 2004 9:51:01 AM

Archived from groups: microsoft.public.win2000.security (More info?)

It would appear when auditing various domains that the Administrator account in the domain has the "password never expires" block checked and the box is disabled (read: greyed out) so that setting cannot be changed to make the domain administrator password expire.

Is there a way to make the account expire (or at least ask/force the account to change the password)?

Thanks in advance!
Jeremy Shelley, MCSE, CISSP

P.S. I know it's not exactly a good idea to have your Domain Administrator account expire but governmental rules are governmental rules.
Anonymous
a b 8 Security
June 23, 2004 8:14:24 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I believe that is hard coded into the operating system and can not be easily
changed [I know of no way]. You can use passprop to lockout that account to
network logon attempts but never to console logon at a domain controller. In
Windows 2003 you can disable the built in administrator account except to
safe mode logon. --- Steve


"MCSEStretch" <MCSEStretch@discussions.microsoft.com> wrote in message
news:AE0CFCE4-1925-4B4F-986C-C69F2DC97C42@microsoft.com...
> It would appear when auditing various domains that the Administrator
account in the domain has the "password never expires" block checked and the
box is disabled (read: greyed out) so that setting cannot be changed to
make the domain administrator password expire.
>
> Is there a way to make the account expire (or at least ask/force the
account to change the password)?
>
> Thanks in advance!
> Jeremy Shelley, MCSE, CISSP
>
> P.S. I know it's not exactly a good idea to have your Domain Administrator
account expire but governmental rules are governmental rules.
June 23, 2004 8:36:22 PM

Archived from groups: microsoft.public.win2000.security (More info?)

it could be related to accounts created at OS install. Have you tried to
create an account and make it member of the same groups? I believe (but I
have not tested ..) that that way you should be able to set/clear the
option.

cheers,

Marco

--
Execute applications with elevated privileges [ www.neovalens.com ]
--



"MCSEStretch" <MCSEStretch@discussions.microsoft.com> wrote in message
news:AE0CFCE4-1925-4B4F-986C-C69F2DC97C42@microsoft.com...
> It would appear when auditing various domains that the Administrator
account in the domain has the "password never expires" block checked and the
box is disabled (read: greyed out) so that setting cannot be changed to
make the domain administrator password expire.
>
> Is there a way to make the account expire (or at least ask/force the
account to change the password)?
>
> Thanks in advance!
> Jeremy Shelley, MCSE, CISSP
>
> P.S. I know it's not exactly a good idea to have your Domain Administrator
account expire but governmental rules are governmental rules.
Related resources
Anonymous
a b 8 Security
June 24, 2004 2:35:51 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Why not audit the PasswordLastSetTime field to make sure the admins are, in
fact, following the reg? I use Dumpsec
(http://www.systemtools.com/somarsoft) to dump the directory listing of user
accounts to a CSV then import it to MSAccess. Works very well to catch
admins who set their own accounts' passwords to never expire.

HTH

John

"Steven L Umbach" <n9rou@nscomcast.net> wrote in message
news:A%hCc.79949$Hg2.47358@attbi_s04...
> I believe that is hard coded into the operating system and can not be
easily
> changed [I know of no way]. You can use passprop to lockout that account
to
> network logon attempts but never to console logon at a domain controller.
In
> Windows 2003 you can disable the built in administrator account except to
> safe mode logon. --- Steve
>
>
> "MCSEStretch" <MCSEStretch@discussions.microsoft.com> wrote in message
> news:AE0CFCE4-1925-4B4F-986C-C69F2DC97C42@microsoft.com...
> > It would appear when auditing various domains that the Administrator
> account in the domain has the "password never expires" block checked and
the
> box is disabled (read: greyed out) so that setting cannot be changed to
> make the domain administrator password expire.
> >
> > Is there a way to make the account expire (or at least ask/force the
> account to change the password)?
> >
> > Thanks in advance!
> > Jeremy Shelley, MCSE, CISSP
> >
> > P.S. I know it's not exactly a good idea to have your Domain
Administrator
> account expire but governmental rules are governmental rules.
>
>
Anonymous
a b 8 Security
June 25, 2004 12:49:37 PM

Archived from groups: microsoft.public.win2000.security (More info?)

John,

Thanks for the tip. Any tips for getting the PasswordLastSetTIme value for the various accounts? (sorry, I'm not a programmer except for a smattering of VB).

Also, I thought DumpACL just retrieved the DACLs and SACLs, not user account information.

Your help is most appreciated.

Jeremy

"John Wessell" wrote:

> Why not audit the PasswordLastSetTime field to make sure the admins are, in
> fact, following the reg? I use Dumpsec
> (http://www.systemtools.com/somarsoft) to dump the directory listing of user
> accounts to a CSV then import it to MSAccess. Works very well to catch
> admins who set their own accounts' passwords to never expire.
>
> HTH
>
> John
>
> "Steven L Umbach" <n9rou@nscomcast.net> wrote in message
> news:A%hCc.79949$Hg2.47358@attbi_s04...
> > I believe that is hard coded into the operating system and can not be
> easily
> > changed [I know of no way]. You can use passprop to lockout that account
> to
> > network logon attempts but never to console logon at a domain controller.
> In
> > Windows 2003 you can disable the built in administrator account except to
> > safe mode logon. --- Steve
> >
> >
> > "MCSEStretch" <MCSEStretch@discussions.microsoft.com> wrote in message
> > news:AE0CFCE4-1925-4B4F-986C-C69F2DC97C42@microsoft.com...
> > > It would appear when auditing various domains that the Administrator
> > account in the domain has the "password never expires" block checked and
> the
> > box is disabled (read: greyed out) so that setting cannot be changed to
> > make the domain administrator password expire.
> > >
> > > Is there a way to make the account expire (or at least ask/force the
> > account to change the password)?
> > >
> > > Thanks in advance!
> > > Jeremy Shelley, MCSE, CISSP
> > >
> > > P.S. I know it's not exactly a good idea to have your Domain
> Administrator
> > account expire but governmental rules are governmental rules.
> >
> >
>
>
>
!