Policy

Do not allow password expiration time longer than required by policy

If this setting is enabled or not configured, planned password expiration longer than the password age dictated by the "Password Settings" policy is NOT allowed. When such expiration is detected, the password is changed immediately and password expiration is set according to policy. If this setting is disabled, password expiration time may be longer than required by "Password Settings" policy. See https://go.microsoft.com/fwlink/?linkid=2188435 for more information.

Policy
Pack Microsoft Windows
Category System / LAPS
Policy ID cceefcf35111
Internal name LAPS_DontAllowPwdExpirationBehindPolicy

Registry

Copy registry mappings

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS\PasswordExpirationProtectionEnabled (enabled) = 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS\PasswordExpirationProtectionEnabled (disabled) = 0

Policy notes

If this setting is enabled or not configured, planned password expiration longer than the password age dictated by the "Password Settings" policy is NOT allowed. When such expiration is detected, the password is changed immediately and password expiration is set according to policy. If this setting is disabled, password expiration time may be longer than required by "Password Settings" policy. See https://go.microsoft.com/fwlink/?linkid=2188435 for more information.

Related policies

Configure authorized password decryptorsConfigure automatic account managementConfigure password backup directoryConfigure size of encrypted password historyEnable password backup for DSRM accountsEnable password encryptionName of administrator account to manage