Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies To: Forefront Client Security
The Password Expiration SSA check determines whether any local accounts have passwords that do not expire. You should change passwords regularly to help thwart password attacks.
A local account that has a setting of Password never expires overrides the Maximum Password Age setting in the Password policy in Group Policy, thereby enabling a user to keep the same password forever.
Also, the Password never expires setting overrides the User must change password at next logon setting. When users are assigned new passwords by administrators or help desk representatives, it is good practice to set the User must change password at next logon option to ensure that the user sets a new password.
It is recommended that you examine any local accounts that appear in SSA-related reports as having passwords that do not expire. Determine why the account is configured to have a password that does not expire. If the reason is not acceptable according to your organization's security standards, configure the account to have an expiring password and consider changing the account password immediately.
There are exceptions to this check. Do not remove the Password never expires settings for the following accounts, because doing so can break application and server functionality:
IUSR_*
IWAM_*
SUPPORT_*
SMSCli*
ACTUser
ASPNET
SQLDebugger
HelpAssistant
TSInternetUser
This check generates scores on two levels:
Overall
Per account
The following table shows how Client Security determines the overall score resulting from assessing password expiration settings for accounts on the scanned computer.
| Score | Number of accounts with Medium score | Number of accounts with Informational score | Number of accounts with Low score | Computer is a domain controller | Results message |
|---|---|---|---|---|---|
Medium |
At least 1 |
0 or more |
0 or more |
No |
Number of user accounts with non-expiring passwords: number [of Medium score accounts]. Total number of user accounts: number. |
Informational |
0 |
At least 1, disabled but not exempt |
0 or more |
No |
Number of disabled user accounts with non-expiring passwords: number [of Informational score accounts]. Total number of user accounts: number. |
|
0 |
At least 1, on exempt list |
0 or more |
No |
All accounts with no password expiration are on the exempt list. |
|
Not applicable |
Not applicable |
Not applicable |
Yes |
This check is not supported on domain controllers. |
Low |
0 |
0 |
At least 1 |
No |
Passwords expire for all accounts on this computer. |
The following table shows how Client Security determines the score resulting from assessing password expiration settings for a specific user account.
| Score | Password expires | Account is disabled | Account in exemption list | Results message |
|---|---|---|---|---|
Medium |
No |
No |
No |
The password for this account never expires: username. |
Informational |
No |
Yes |
No |
The password for this account never expires: username. However, the account is disabled. |
|
No |
Yes or No |
Yes |
The password for this account never expires: username. However, the account is in the list of accounts exempt from the Password Expiration check. |
Low |
Yes |
Not applicable |
Not applicable |
The password for this account expires: username. |