This article explains how to extend the password expiry period in Active Directory (AD). By default, Active Directory enforces a password policy that sets a maximum password age for user accounts. When a password reaches its expiration date, it is considered expired, and the user must change it at the next login.
However, there are cases where a domain user cannot change an expired password in time, such as when connecting remotely via VPN or RDS. In such situations, an administrator can extend the password’s validity without enabling the Password Never Expires option, which is less secure.
Checking a User’s Password Expiry in AD with PowerShell
To check a user’s password expiry details, use the following PowerShell cmdlet:
Get-ADUser -Identity a.ivanov -Properties msDS-UserPasswordExpiryTimeComputed, PasswordLastSet, PasswordNeverExpires, PasswordExpired | Select-Object -Property Name, PasswordLastSet, PasswordNeverExpires, PasswordExpired, @{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}
Account Password Expiry in AD
If a user’s password is expired, the PasswordExpired attribute will be set to True. The expiration date is stored in the msDS-UserPasswordExpiryTimeComputed attribute, calculated based on the pwdLastSet attribute and the applicable password policy.
Get-ADUser a.ivanov -Properties pwdLastSet | Select-Object SamAccountName, @{Name="pwdLastSet";Expression={[datetime]::FromFileTime($_.pwdLastSet)}}
The pwdLastSet attribute contains the date in milliseconds (Windows NT time format). It can have one of the following special values:
– 0 — Resets the password to a “never set” state.
– -1 — Resets the password change date to the current time.
Modifying the User Attribute
To extend a password’s validity, modify the pwdLastSet attribute. First set it to 0, then to -1:
Set-ADUser a.ivanov -Replace @{pwdLastSet='0'}
Set-ADUser a.ivanov -Replace @{pwdLastSet='-1'}
Now, check the password change date and expiry date. The password change date will be updated to the current time, and the user’s password validity will be extended. Setting an arbitrary password change date is not possible.
Extending Password Expiry in AD
This method can also be used when enabling a password expiration policy in a domain where passwords were previously set to never expire or had the Password Never Expires option enabled. After enabling such a policy, all users will be required to change their passwords, which can disrupt organizational operations. To avoid widespread issues, extend the password validity for all users before implementing the policy.
Extending password expiry in Active Directory is a critical task, especially when users cannot change their passwords themselves. Using PowerShell and the methods described, administrators can quickly and securely extend password validity without violating the domain’s password policy.
