Exempting User Accounts from Domain Password Policies

by Mitch Tulloch [Published on 14 June 2007 / Last Updated on 14 June 2007]

There's one exemption to how domain password policies are applied.

In an Active Directory environment, password policies for users accounts are determined by the Group Policy settings found under Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy. These policy settings (there are six of them) apply uniformly to all users in the domain. In other words, you can’t exempt a particular user account from these policy settings even if you wanted to.

With one exception: by enabling the Password Never Expires on the Accounts tab of a user account’s Properties sheet in Active Directory Users and Computers, you can override (for that user) the domain-wide policy setting for Maximum Password Age. It’s usually best to reserve this option only for custom service accounts however.


Mitch Tulloch was lead author for the Windows Vista Resource Kit from Microsoft Press, which is THE book for IT pros who want to deploy, maintain and support Windows Vista in mid- and large-sized network environments. For more information see www.mtit.com.

The Author — Mitch Tulloch

Mitch Tulloch is a widely recognized expert on Windows administration, networking, and security. He has been repeatedly awarded Most Valuable Professional (MVP) status by Microsoft for his outstanding contributions in supporting users who deploy and use Microsoft platforms, products and solutions. Mitch has published over two hundred articles on different IT websites and magazines, and he has written or contributed to almost two dozen books and is lead author for the Windows 7 Resource Kit from Microsoft Press. For more information, see www.mtit.com .

Latest Contributions

Featured Links