Default password age in Active Directory – Microsoft


default password age in active directory

What does password age mean to ?

The Minimum password age policy setting determines the period of time (in days) that a password must be used before the user can change it.

You can set a value between 1 and 998 days, or you can allow password changes immediately by setting the number of days to 0.

Condition  :

The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire.

“0” Maximum password age means password never expire ! If you want to set password never expire than you need to set Maximum password age = 0

If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998.

Microsoft recommond Minimum password age = 1

Setting the number of days to 0 allows immediate password changes. This setting is not recommended.

Combining immediate password changes with password history allows someone to change a password repeatedly until the password history requirement is met and re-establish the original password again.

Lets understood with example

For example, suppose a password is “[email protected]!” and the history requirement is 24. If the minimum password age is 0, the password can be changed 24 times in a row until finally changed back to “[email protected]!”.

The minimum password age of 1 day prevents that.

If you set a password for a user and you want that user to change the administrator-defined password, you must select the User must change password at next logon check box.

Otherwise, the user will not be able to change the password until the number of days specified by Minimum password age.


Is this Article helpful ? Do Mention in Comment Box Below !


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

close button