Share via

Active Directory: Fun with Maximum Password Age

  • Article

Introduction

The default password policy for an Active Directory domain defines the maximum password age. This specifies how long passwords can be used before they expire. The value applies to all users in the domain unless overridden by a Password Setting Object using Fine-Grained Password Policies.

The maxPwdAge AD Attribute

The domain maximum password age is determined by the value of the maxPwdAge attribute. Only the domainDNS object that represents the domain in Active Directory has this attribute. The syntax is Integer8, also called LargeInteger. The value is a 64-bit integer representing time intervals in 100-nanosecond ticks.  The value is always negative. For example, if the maximum password age in the domain is 10 days, then maxPwdAge will have the value:

maxPwdAge = (-1) x 10 days x 24 hours/day x 60 minutes/hour x 60 seconds/minute x 10,000,000 ticks/second = -8,640,000,000,000 ticks

The unusual format makes it difficult to work with directly. Fortunately, Active Directory Users and Computers (beginning with Windows Server 2008) displays the value of maxPwdAge in the format dd:hh:mm:ss (days:hours:minutes:seconds). The value corresponding to 10 days is shown in ADUC as "10:00:00:00".

If you use Group Policy to view the default domain policy, the value is found in Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy. The same value would appear as "10 days". Group Policy allows you to assign any value from 1 to 999 days, as long as the value exceeds the setting for minimum password age. The screen to view and modify the domain maximum password age policy is shown below:

The ldp utility can display the value of the maxPwdAge attribute of the domain object, but there are quirks. The Windows 2000 server version of the utility shows the actual negative large integer value. The Windows Server 2003 version shows the value in positive seconds. The versions from Windows 2008 on display the value in positive days, hours, minutes, and seconds.

All versions of the command line utility dsquery have problems retrieving the value of the maxPwdAge attribute. Instead of a negative sign in front of the value, they display a long string of garbage characters.

↑ Return to Top

The MaxPasswordAge PowerShell Property

The PowerShell AD module cmdlet Get-ADDefaultDomainPasswordPolicy can be used to retrieve the domain password policies. One of the properties this cmdlet exposes is MaxPasswordAge. This property is the value of the maxPwdAge attribute of the domain, but formatted as dd.hh:mm:ss.xxxxxxx, where dd is days, hh is hours, mm is minutes, ss is seconds, and xxxxxxx is fractions of a second. The value is always displayed as positive. Note that a period separates the days from the hours (not the colon used in ADUC). Sample output from the cmdlet is shown below:

The Set-ADDefaultDomainPasswordPolicy cmdlet can be used to assign a value to the MaxPasswordAge property. The value should be in the format dd.hh:mm:ss. To assign the value of 10 days, you would specify "10.", with the trailing period.

↑ Return to Top

Can MaxPasswordAge be Negative?

The help for Set-ADDefaultDomainPasswordPolicy states that the value must be between -10675199:02:48:05.4775808 and 10675199:02:48:05.4775807. Really. That's 10,675,199 days, which comes out to just over 29,227 years. But what does a negative value for MaxPasswordAge mean? Does that mean the maxPwdAge attribute will be positive?

The help even states the following:

The following examples show how to set this parameter.
Set the time span to 2 days
MaxPasswordAge "2"
Set the time span to the previous 2 days
MaxPasswordAge "-2"

Anyone see a problem here? Does this mean passwords can be configured to expire two days before they are changed? Seems like all passwords will always be expired. You would need to change your password every time you logged on.

But this assumes that a negative value for MaxPasswordAge is allowed. Fortunately, it is not. The help for Set-ADDefaultDomainPasswordPolicy is not correct at this point. Sure, PowerShell TimeSpans can be positive or negative, but Active Directory will not allow you to configure passwords to be expired before they are set. In fact, MaxPasswordAge must always exceed MinPasswordAge. If you use Set-ADDefaultDomainPasswordPolicy to assign a negative number of days to MaxPasswordAge, no error is raised, but the absolute value of the number of days is assigned (so that maxPwdAge is negative).

↑ Return to Top

If Maximum Password Age is Set to Zero

You cannot assign zero to maxPwdAge directly. And you cannot assign zero to the MaxPasswordAge PowerShell property using Set-ADDefaultDomainPasswordPolicy. This would violate the requirement that the maximum password age must exceed the minimum password age. However, you can assign zero in Group Policy. Group Policy will then display the value as "Never". This will assign the largest negative value possible to the pwdLastSet attribute of the domain object in Active Directory. This value is -9,223,372,036,854,775,808, which corresponds to 10,675,199 days, or more than 29,227 years in the future. OK, that is not forever, but close enough. The affect is that passwords will not expire during anyone's lifetime.

↑ Return to Top

Assign Password Never Expires

Instead of using Group Policy to assign zero to the maximum password age, you can configure accounts for "Password never expires". You do this on the "Account" tab of user properties in ADUC. You can select all of the user objects you want and configure them in bulk, leaving other accounts alone. This probably is the best procedure if you really have users whose passwords should not expire.

↑ Return to Top

See Also

↑ Return to Top

Other Resources

↑ Return to Top