This week we had a question about IISADMPWD Replacement Tool functionality. In testing, the user successfully used the ChangePassword application to change their password that had expired when trying to access a protected web application. The answer involved the difference between password expiration and account expiration.
As a part of the testing, the user had also set their account to expire as well and wondered why when their password was changed why their test account wasn’t “unexpired” as well.
In short, there is a difference between password expiration and account expiration though each will keep a user from having the ability to login. Account expiration is a stronger step in many ways, designed to use if you have a user who you want to be able to access your systems temporarily (perhaps for example a contractor who needs access for a fixed period of time). If a user’s account is expired, Windows doesn’t provide an option for having that user get back in unless the expiration is rescinded by an administrator.
Password expiration is designed for a user who you want to continue to have access to your systems but for security reasons need to change their password. This is the realm where PeoplePassword and the iISADMPWD Replacement Tool exert influence by offering a self-service solution without the need to include IT which is time consuming and costly.