Archive for the ‘Active Directory Password’ category

Set Password to Never Expire for Domain Accounts in Windows Server

August 12th, 2017 by Admin

Can’t change password after domain user password expired? AD password expires while user is away? By default, domain users are required to change their passwords every 42 days, as defined by domain password policy. If you find those password expiry notices annoying, you can set password to never expire for domain accounts in Windows Server 2016, 2012, 2008, 2003.

Before getting started, you can check when your domain account password is going to expire. Just open the Command Prompt as administrator, type the following command and press Enter.

net user domain_account_name /domain

This will display your account information, including when you last changed your password, and when it expires.

Method 1: Set Domain Account Password to Never Expire via GUI

  1. Press the Windows logo key + R, type dsa.msc and press Enter to open Active Directory Users and Computers Snap-in.
  2. Expand your domain and click Users in the left pane, you’ll see a list of domain accounts on your server. Double-click on the user you would like to update.

  3. In the Properties dialog, click the Account tab and check “Password never expires” under the Account options section.

  4. Click Apply and then OK. Now you’ve successfully disabled the annoying expiration of passwords!

Method 2: Set Domain Account Password to Never Expire via PowerShell

  1. click Start, click Administrative Tools, and then click Active Directory Module for Windows PowerShell.
  2. After importing Active Directory module in Powershell, you can type the following script to set your domain password to never expire. Replace pcunlocker with the name of your domain account.

    Set-LocalUser -Name "pcunlocker" -PasswordNeverExpires 1

Method 3: Set Domain Account Password to Never Expire via Command Prompt

Open the Command Prompt as Administrator. Type the following command and press Enter. Note: Replace “pcunlocker” with your account name, and adjust the domain name accordingly.

dsmod user "CN=pcunlocker,CN=Users,DC=corp,DC=top-password,DC=com" -pwdneverexpires yes

This would set the password of the domain account “pcunlocker” to never expire.

If you want to disable the password expiration for all accounts in Active Directory, type:

dsquery user "CN=Users,DC=corp,DC=top-password,DC=com" | dsmod user -pwdneverexpires yes

Method 4: Set Password to Never Expire for All Accounts Using Domain Group Policy

  1. Click the Start button, point to Administrative Tools and then click Group Policy Management.
  2. In the console tree, expand the Forest and then Domains. Select the domain for which the password policies have to be set. Right-click Default Domain Policy and select Edit.

  3. It will open Group Policy Management Editor. Navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Password Policy, then double-click the “Maximum password age” setting in the right pane.

  4. In the Security Policy Setting tab, make sure the “Define this policy setting” option is checked, and specify that passwords never expire by setting the number of days to 0.

  5. Click Apply and then OK.

Actually, there is much simpler way to modify the “Maximum password age” settings for your default domain policy. Just open the Command Prompt as Administrator, and type:

net accounts /maxpwage:unlimited /domain

Now, all the domain accounts won’t be required to change password ever. If you’re locked out of Windows Server and can’t log on with any domain administrator, then you need to use the AD password utility – PCUnlocker. It can help you reset forgotten Active Directory password and unlock a disabled/expired/locked domain account.

Fix: “User must change password at next logon” option greyed out in Windows

December 29th, 2016 by Admin

When you try to change or reset the password of a user account, you might find the checkbox “User must change password at next logon” is greyed out, so you can’t choose this option.


In this tutorial we’ll show you how to enable the “User must change password at next logon” option that is greyed out for Windows local or domain user account.

For Windows Local Accounts:

Open the Computer Management. Expand System Tools, then Local Users and Groups, then Users. Right-click on your local account and select Properties from the context menu.


This will open the Properties dialog box. Uncheck the “Password never expires” box and you’ll then find the “User must change password at next logon” option is enabled. Click Apply and then OK.


For Active Directory User Accounts:

In Windows Server with Active Directory installed, open the Active Directory Users and Computers MMC snap-in (start->run->dsa.msc). Right-click on your domain user and select Properties.


Click the Account tab. Under the Account options section, uncheck the “Password never expires” checkbox and click OK.


Now you should be able to reset the password and force the domain user to change it at next login.

Force All AD User Accounts to Change Passwords at Next Logon

April 3rd, 2014 by Admin

How can I force domain user account to change password at the next logon? Simply open Active Directory Users and Computers MMC snap-in (DSA.MSC) by selecting Start -> Administrative Tools -> Active Directory Users and Computers, and locate your desired AD user. Right-click on the account and select Properties. To force the account to change password, just tick the “User must change password at next logon” checkbox.


Now you might ask: Is there a way of doing this for all users in a single OU? In this post I will show how to use a simple Powershell script to force all AD user accounts to change their password at next logon.

Tips: If you forgot the AD administrator password and get locked out of your domain controller, you can reset the password by booting your server to PCUnlocker Live CD.

How to Force All AD User Accounts to Change Passwords at Next Logon?

Click Start and then navigate to All Programs -> Accessories -> Windows PowerShell. Right-click Windows PowerShell, and select Run as administrator from the context menu.

Using both Get-ADUser and Set-ADUser commands you can force all domain user accounts in a OU to change their passwords at next logon. For this demo I’m using IT OU. The fully qualified domain name of our Windows domain is


The following command will force all users in the IT department to change password on login.
Get-ADUser -Filter * -SearchBase “OU=IT,DC=corp,DC=top-password,DC=com” | Set-ADUser -ChangePasswordAtLogon:$true


However, this might cause some AD users to be locked of their computers if the “User Cannot Change Password” attribute is set. To avoid such problem, It’s better to also disable both “User Cannot Change Password” and “Password never expires” attributes.

Get-ADUser -Filter * -SearchBase “OU=IT,DC=corp,DC=top-password,DC=com” | Set-ADUser -CannotChangePassword:$false -PasswordNeverExpires:$false -ChangePasswordAtLogon:$true

After executing the PowerShell command and all your users will be forced to change their own password on their next restart. If you don’t allow the AD users to set a blank password, you can then set up a group policy for your own purpose, by following the steps described in our previous post: How to Change Active Directory Password Policy in Windows Server 2008.

How to Reset Windows Small Business Server Password After Forgotten

March 28th, 2014 by Admin

Forgot the administrator password on Windows Small Business Server (SBS)? If you can’t log on with other administrator-level account, you’re unable to change or reset the password. So if you’re confronted with this situation where you essentially have no control over your server. What do you do at this point?

Forgot Windows SBS password

In this tutorial we’ll show you how to reset Windows SBS 2011 / 2008 / 2003 password when you lost or forgot the administrator password. Because we could not log into SBS as admin, so it’s impossible to install any software on your computer to hack into the Security Account Manager (SAM). Fortunately, with the PCUnlocker boot CD you can circumvent Windows security restrictions and reset SBS administrator password directly.

How to Reset Windows Small Business Server Password After Forgotten?

Before you can reset SBS password, you need to make a PCUnlocker boot CD using another computer with internet connection. Next boot Windows Small Business Server from the CD and it enables you to reset a lost local admin / domain admin password easily. Here are detailed instructions:

  1. Download the PCUnlocker program from The download file is a zipped ISO image file. Double-click the zip file and the system will display all the contents in a new window. Just drag the pcunlocker.iso file from that window to your desktop or another location you can find easily.
  2. Burn the ISO image to an empty CD (or USB flash drive) using the freeware ISO2Disc, BurnCDCC or ImgBurn program.
  3. Connect the CD you’ve burned to your locked computer that you want to reset Windows SBS password on. Turn on the computer and change the boot order in BIOS. Make sure the CD/DVD drive is the first boot device.
  4. After booting from the CD, you’ll see the WinPE operating system start. Just about half a minute later, you’ll see the PCUnlocker program. It displays all your Windows user accounts. If you need to reset domain user password, please click on the “Reset Active Directory Password” option.
  5. Choose a user account and click on “Reset Password” button. The program will unlock / reset your forgotten user password immediately.
  6. Click on Restart. Take out the CD from the computer. Now you can log back into your Windows Small Business Server (SBS) using a blank/empty password.

PCUnlocker: Unlock Any Computer without A Password

August 29th, 2013 by Admin

Whether you forgot Windows login password or your administrator account got locked out or disabled accidentally, there is a simple way to unlock your computer without a password. Here we’ll get you through the process of unlocking any password protected computer with PCUnlocker Live CD.

How to Unlock Any Computer without A Password?

Step #1: First, you are required to create a PCUnlocker Live CD from another computer that you have access to. This can be your work PC, or a friend or family member’s PC (any PC within your reach). Download the ISO image of PCUnlocker and burn it to a blank CD or DVD using ISO2Disc program. If you don’t have a CD burner, A USB flash drive can also be used to make a bootable PCUnlocker USB drive.

Step #2: Next thing is, insert the PCUnlocker Live CD into your own machine and boot the computer from it. Before that ensure you haven’t set your BIOS to boot from any other drive than the optical one. After successfully booting from PCUnlocker Live CD, it will load the operating system that is installed on the CD drive.

Step #3: When the boot process is complete, it will start the PCUnlocker program. This program automatically searches your Windows installations and displays all user accounts existing in Windows SAM registry file. In the list box, you can also find out which user account is password protected, disabled or locked out.

Step #4: Choose one of your user accounts and click on “Reset Password” button. The program will remove the account password, and also change the properties of your user account so it is enabled, unlocked and never expired. It will also turn off the logon hours restriction and fix the local security policy that may prevent you from logging in.

Step #5: Restart the computer and remove the Live CD. The account that you’re trying to regain access to will no longer require a password. Quickly regain access to a password-protected computer without a password! No need to start over with a fresh Windows installation when you are locked out of your computer.


With PCUnlocker Live CD you can reset forgotten computer passwords for both local administrator accounts and Active Directory user accounts. It works on all versions of Windows systems, including Windows 8 and Windows Server 2012. Besides the features mentioned above, PCUnlocker can also help you promote standard or limited user account to administrator, reset Windows 8 Microsoft account password, and more.

Learn the Basics of Directory Services Restore Mode

June 20th, 2013 by Admin

Directory Services Restore Mode (DSRM) is a special boot option similar to Safe Mode in Windows. But this mode is only applicable to Windows Server domain controllers and it is used to restore or repair an Active Directory database. If there is a need to repair or restore Active Directory database, DSRM has to be used. Restarting in Directory Services Restore Mode takes the domain controller offline, meaning it functions as a regular server, not as a domain controller.

Boot into Directory Services Restore Mode

If you have physical access to a domain controller, you can access the Directory Services Restore Mode easily. Simply turn on or restart the computer and press F8 prior to the machine booting into Windows, the system will display the Advanced Boot Options.


Choose the Directory Services Restore Mode from the menu and press Enter. The server will then boot into Directory Services Restore Mode.

Directory Services Restore Mode Password

Generally when you run the DCPROMO command to promote an individual server to a domain controller, the install wizard will prompt you to set a Directory Services Restore Mode password. This password is actually for the built-in local administrator account. In order to boot into Directory Services Restore Mode, you need to use the local administrator account along with the DSRM password to get past the Windows logon screen.

It is very important to know what the DSRM password is. The DSRM password provides the administrator with a back door to boot into Directory Services Restore Mode for performing maintenance and recovery tasks. This account is often forgotten by most AD administrators, which results in a significant security risk. If exploited, this security risk can cause high impact.

The DSRM password should be changed on a regular basis. Because the DSRM password can be used to log on in Directory Services Restore Mode, and in this mode the tasks that can be performed are significant, an exploit of the DSRM account can be extremely detrimental to your AD DS forest.

But what to do if you forgot the DSRM password? In the event a DSRM password is forgotten, you can change or reset it easily by using the tricks described in this article: How to Change or Reset DSRM Administrator Password.

Forgot the Administrator Password on Windows Server 2012? How to Unlock Your Computer?

June 6th, 2013 by Admin

So I did something really stupid, forgot the admin password to my server running Windows Server 2012. I so rarely shut down and have to log in because my server is running 24/7 that when I lost power and had to log back in, I couldn’t remember my password. Is there any way to reset the password so I can unlock my server without having to reinstall the entire OS?

Forgot the administrator password on Windows Server 2012? It’s really a headache thing when you get locked out of your computer, especially there are important data stored on it, which stops you reinstalling the operating system. In this tutorial we’ll walk you through how to reset your forgotten administrator password on Windows Server 2012. Quickly unlock your server PC without losing your files. This might save you the days and days of reinstalling and reconfiguring all the software or services.

How to Unlock Windows Server 2012 When You Forgot the Administrator Password?

  1. First of all, you need to create a Live CD (or USB flash drive) on another PC that you can access. Download the ZIP archive of Reset Windows Password utility and save it on your desktop.
  2. Open the ZIP file and extract it to a folder on your desktop. Within that folder, you’ll find a file called ResetWindowsPwd.iso. Burn the ISO image onto an empty CD using ISO2Disc, BurnCDCC or other ISO burning software.
  3. Place the Live CD into the CD drive of your locked Windows Server 2012 PC. Turn on the computer and get it to boot from the Live CD instead of the hard drive. If the server still boots from hard drive, you need to change the boot order to CD/DVD-ROM in BIOS.
  4. After successfully booting from the Live CD, the computer will open up the Reset Windows Password program after a few minutes. The program automatically searches the Windows SAM registry hive for your Windows Server 2012 installation, and then display all of local user accounts on your PC.

    If you’ve forgotten the domain administrator password, you need to click on Reset Active Directory Password option. The program will display a list of Active Directory user accounts existing on your domain controller (DC).

  5. Choose the administrator account and then click on “Reset Password” button. It will reset your Windows Server 2012 administrator password, as well as unlocking the administrator account if it is locked out, disabled or expired.
  6. Restart the server and remove the Live CD. When the system boots to the login screen, you can successfully log back into your Windows Server 2012 administrator account. It’s that easy!

That’s all there is to it. Forgot your administrator password and get locked out of Windows Server 2012? Follow the steps above you can unlock Windows Server 2012 administrator password quickly and easily! This method also works with Windows Server 2008, 2003 and 2000.