Administrator Account Password Expiration Behavior


Summary


The local Administrator (RID -500) account’s password on a member server is expired and you are not prompted to change the password at the logon screen. You are allowed to logon and get access to the console. The setting “User must change the password at next logon” is checked in the Administrator’s account properties. Once logged on you may see the balloon pop up with the message “Consider changing your password” from time to time.

In the local Administrator's account properties, if you manually uncheck the option “User must change the password at next logon”, click OK, perform a logoff and then a logon, you will notice the checkbox for that option is set back again in the user's properties. The checkbox for the setting “User must change the password at next logon” will be "checked" regardless until the password is in fact changed using CTRL+ALT+DEL -> Change Password while logged on.

A regular account manually created and added to the local Administrators group that has an expired password is in fact prompted to change the password at the logon screen, before you get access to the console.

More Information


This behavior is by design and expected in order to allow an administrator to logon to the system using the -500 RID account (aka Administrator) to perform troubleshooting tasks even though the password has been expired. No other accounts are allowed to logon when their password have been expired for security reasons.

Any other accounts with an expired password that are members of the Administrators group or any built-in local groups, or that have the "Allow Logon Locally" user right are not allowed to logon and are forced to change their password at the logon screen before getting access to the console.

Note: The same behavior is valid for the domain Administrator account (-500 RID) in Active Directory when logging on to domain controllers.