When managing a Windows Server 2012 domain controller, you'll quickly discover that the standard Local Security Policy approach doesn't work for password policies. This isn't a bug - it's by design. On domain controllers, password policies are managed through Active Directory's Group Policy Management.
The moment you promote a server to a domain controller, several key changes occur:
- Local Security Policy becomes read-only for account policies
- Active Directory assumes control of authentication policies
- Default Domain Policy governs password requirements
Since GUI options are limited, we'll use PowerShell to modify the fine-grained password policy:
# First, check existing password policies
Get-ADDefaultDomainPasswordPolicy
# To disable password expiration for specific users:
Set-ADUser -Identity username -PasswordNeverExpires $true
# For service accounts (common developer scenario):
Get-ADServiceAccount -Filter * | ForEach-Object {
Set-ADServiceAccount -Identity $_ -PasswordNeverExpires $true
}For more granular control, create a Password Settings Object (PSO):
# Create new PSO that never expires
New-ADFineGrainedPasswordPolicy -Name "DevServerPolicy"
-Precedence 1
-MaxPasswordAge "NotSet"
-MinPasswordLength 0
-ComplexityEnabled $false
-LockoutDuration "00:30:00"
-ProtectedFromAccidentalDeletion $true
# Apply PSO to specific group
Add-ADFineGrainedPasswordPolicySubject -Identity "DevServerPolicy"
-Subjects "DevServerAdmins"
While disabling password expiration can simplify development environments, consider:
- Implementing LAPS (Local Administrator Password Solution)
- Using JIT (Just-In-Time) access for production systems
- Setting up Azure AD Privileged Identity Management for hybrid environments
For service accounts that can't have password expiration disabled, consider this automation pattern:
# Scheduled task to auto-rotate passwords
$newPassword = ConvertTo-SecureString -String (New-Guid).Guid -AsPlainText -Force
Set-ADAccountPassword -Identity "svc_account" -NewPassword $newPassword -Reset
Set-ADUser -Identity "svc_account" -ChangePasswordAtLogon $false
When a Windows Server 2012 machine is promoted to domain controller, password policies become managed through Group Policy Objects (GPO) rather than local security policy. This explains why the local security policy editor shows the controls as disabled - these settings are now controlled at the domain level.
For domain controllers, you have two proper ways to modify password policies:
1. Using Group Policy Management Console
1. Open Group Policy Management (gpmc.msc) 2. Navigate to: Forest > Domains > [Your Domain] > Domain Controllers 3. Right-click Default Domain Controllers Policy > Edit 4. Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy 5. Modify "Maximum password age" to 0 (never expires) 6. Run gpupdate /force on all DCs
2. Using ADSI Edit (Advanced)
For programmatic access, you can modify these settings directly in AD:
// PowerShell example to modify fine-grained password policy Import-Module ActiveDirectory $policy = Get-ADFineGrainedPasswordPolicy "Domain Controllers Policy" Set-ADFineGrainedPasswordPolicy -Identity $policy -MaxPasswordAge "00:00:00"
After making changes, verify with:
# PowerShell check Get-ADDefaultDomainPasswordPolicy | Select MaxPasswordAge # Command line alternative net accounts /domain
1. Password policies apply at domain level - changes affect all domain users
2. For specific users, consider creating Fine-Grained Password Policies instead
3. Changing default domain policies may violate security compliance standards
If you only need to exempt specific service accounts:
# PowerShell to set password never expires Set-ADUser -Identity "ServiceAccount" -PasswordNeverExpires $true