Do not allow password expiration time longer than required by policyID: oval:org.secpod.oval:def:81456 | Date: (C)2022-06-14 (M)2023-07-31 |
Class: COMPLIANCE | Family: windows |
When you enable this setting, planned password expiration longer than password age dictated by Password Settings policy is NOT allowed. When such expiration is detected, password is changed immediately and password expiration is set according to policy.
When you disable or not configure this setting, password expiration time may be longer than required by Password Settings policy.
Counter Measure:
Enable this setting.
Potential Impact:
Users must change their device password with the frequency specified.
Fix:
(1) GPO: Computer Configuration\Administrative Templates\LAPS\Do not allow password expiration time longer than required by policy
(2) REG: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft Services\AdmPwd!PwdExpirationProtectionEnabled
Platform: |
Microsoft Windows Server 2012 R2 |