Exempting User Accounts from Domain Password Policies

by Mitch Tulloch [Published on 14 June 2007 / Last Updated on 14 June 2007]

There's one exemption to how domain password policies are applied.

In an Active Directory environment, password policies for users accounts are determined by the Group Policy settings found under Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy. These policy settings (there are six of them) apply uniformly to all users in the domain. In other words, you can’t exempt a particular user account from these policy settings even if you wanted to.

With one exception: by enabling the Password Never Expires on the Accounts tab of a user account’s Properties sheet in Active Directory Users and Computers, you can override (for that user) the domain-wide policy setting for Maximum Password Age. It’s usually best to reserve this option only for custom service accounts however.


Mitch Tulloch was lead author for the Windows Vista Resource Kit from Microsoft Press, which is THE book for IT pros who want to deploy, maintain and support Windows Vista in mid- and large-sized network environments. For more information see www.mtit.com.

Featured Links