This step-by-step tutorial demonstrates how to configure password expiration for local accounts in Windows 10 and Windows 11. It includes instructions for enabling and disabling password expiration for any local user account in Windows, how to check its current status, and explains what happens when password expiration is disabled.
Preparation before changing local user password expiration settings
Whether you’re enabling or disabling password expiration for an account, you must be signed in with an administrator account, and before you make any changes to your Windows 10 or Windows 11 system configuration, you should take a full system backup.p
Note that to configure password expiry for Windows domain accounts you will need to use Group Policy.
Step-by-step instructions: How to configure password expiration in Windows 10 and Windows 11
This guide includes tutorials for turning password expiration on or off for Windows 10 and Windows 11 devices.
Note that using the Local Users and Groups snap-in (GUI) method is only available on the Pro, Enterprise, and Education editions of Windows — Home users will have to use the command line method.
How to enable or disable password expiration using the Local Users and Groups (GUI)
To configure password expiration for local accounts using the Local Users and Groups MMC snap-in (a graphical interface for managing user settings), follow these steps:
- Right-click on the Start button
- Select Run
- Enter lusrmgr.msc into the Run dialog and press OK
- Select Users from the navigation tree in the left pane of Local Users and Groups
- Right-click on the user you want to enable or disable password expiration for and select Properties
- To enable password expiration for the specified user, uncheck the Password never expires checkbox
- To disable password expiration for the specified user, check the Password never expires checkbox
- Click OK to confirm the change
How to turn password expiration on or off using command-line tools
To turn on or turn off password expiration both in Windows 10 and Windows 11 using the command line, follow these steps:
- Open an elevated Command Prompt or run PowerShell as Administrator
- Enter the command wmic UserAccount where Name=”USERNAME” set PasswordExpires=True to enable password expiry for the specified local user account
- Enter the command wmic UserAccount where Name=”USERNAME” set PasswordExpires=False to disable password expiry for the specified local user account
Note that you will need to replace the USERNAME text in the above commands with the username of the account you wish to turn password expiry on or off for.
Command to check password expiration status in Windows 10 and Windows 11
You can check the password expiration status for a user by running the command net user USERNAME (replacing USERNAME with the local account username). The command will output information about the user account, including when the Password expires, which will be set to Never if password expiry is disabled.
Background: Understanding password expiration
Password expiration means that a user needs to regularly change their Windows account password after a predefined interval. In Windows 10 and Windows 11, once the maximum password age is reached the user will need to change their password when they next log in.
By default, local accounts in Windows 10 and Windows 11 are set to not have their passwords expire. Enabling password expiry for an account will force that specific user to update their password once it reaches a certain age or when an administrator has specified that they must change their password the next time they log in.
Enforcing password expiration can enhance security by preventing the continued use of old passwords that may have appeared in a data breach or that have been shared or accidentally disclosed. However, there are potential drawbacks: enabling password expiration and forcing users to change their passwords too regularly can frustrate them, leading them to re-use old passwords, use easy-to-guess passwords, or write their passwords down.
How to change minimum and maximum password expiration age/limits
To configure the amount of time before the user has to change their password again, you can set minimum and maximum password age expiry limits. Once password expiry has been enabled, you can also force that user to change their password the next time they log in.
Windows password expiration use-cases and best practices
There are several scenarios where you may be required to enable password expiration for local user accounts:
- On shared computers to discourage users from sharing accounts and passwords.
- For accounts that are used by personnel that are regularly rotated.
- For compliance reasons, for example Payment Card Industry Data Security Standard (PCI DSS) requires that users regularly change their passwords.
There are situations where it isn’t necessary to force users to regularly change their passwords, such as on personal devices that only have a single user.
When configuring password expiration for local accounts, and deciding on minimum and maximum password ages, you should consider the use case and what will encourage the best security practices from users. Forcing users to change their passwords too regularly (without reason) may discourage them from using strong passwords, or encourage them to seek workarounds like writing their passwords down or not locking their machine when it is not in use.
Password security and enabling and disabling password expiration in enterprise environments
Most large enterprises will configure password expiration both in Windows 10 and Windows 11 using Group Policy in a Windows Domain environment. Some businesses, however, do not use a Windows Domain, or rely on employees to bring their own devices (BYOD).
Securing the vast array of user devices and protecting your vital customer data requires a comprehensive mobile device management (MDM) solution. MDM by NinjaOne allows you to configure user account and security policies for Windows, Apple, Android, and Linux devices, whatever their form-factor and wherever they are located.
