Automatic Password Enforcement and Expiration Change

Forums Operating Systems Windows Server 2008 Miscellaneous Automatic Password Enforcement and Expiration Change

Viewing 2 reply threads
  • Author
    • #48518

      Some time ago I did try to find out how this can be done using a registry modification using Sysinternals Process Monitor (filter: [Process Name] is [lsass.exe] then [Include]) which was monitoring while I clicked the Apply button of the Group Policy Editor (tutorial). Within the HKLMSAMSAMDomainsAccountF string in the registry some values changed. I expect that this is done by some functioncall but haven’t tried to find that out.

      Maybe this helps you any further.

      Good luck!


    • #48519

      Well for the time being, I found a workaround for my problem. After some research, I was able to change the settings during the install by inserting a command file in the WindowsSetupScripts folder in the wim. The file itself is labeled ‘SetupComplete.cmd’. I inserted the line: net accounts /maxpwage:unlimited. Alas I was unable to find out how to disable enforcement, but I can live with this. 🙂

      Furthermore, I was also able to set some features to be installed automatically as well from the script. I used:

      ServerManagerCmd.exe -install feature feature feature -allsubfeatures
      shutdown -r

      Where each feature is replaced with the feature name. And the shutdown to force a restart after the desktop is reached (to install the features). It may not be the fastest way possible, but it does the job ;P.

    • #48520

      Thanks for this clarification; didn’t know this script and commandline instructions! 🙂

    • #43708

      What I would like to do is have the password expire set to 0, and the enforcement turned off inside of a custom install, so that I do not need to set these things up after install. I have compared changes to the registry and the files for when I had the security policy at it’s original settings to that of the desired settings, and the only things I noticed that changed were the ntuser.dat, and secedit.sdb (found in Windowssecuritydatabase).

      If anyone knows what actually gets changed when the password settings are changed, please let me know.

Viewing 2 reply threads
  • You must be logged in to reply to this topic.