How to Set a Password to Never Expire for a User in Batch Script
In typical Windows environments, password expiration policies force users to rotate their credentials every 60 to 90 days. However, for specialized accounts, such as "Service Accounts" that run background databases, "Kiosk" systems, or automated build servers, password expiration can cause catastrophic system failures. If a service account's password expires, the service will fail to start, potentially taking down your entire application. Using a Batch script and the WMIC utility, you can flag specific accounts to "Never Expire."
This guide explains how to manage password longevity via the command line.
Why Use the 'Never Expire' Flag?
- Service Continuity: Ensuring that background services and scheduled tasks continue to run without interruption.
- System Stability: Preventing a critical server from locking out its own management accounts during an automated maintenance window.
- Kiosk/Public Terminals: Simplifying the management of public-facing computers where manual password resets would be logistically difficult.
Setting a password to "Never Expire" is a significant security risk. Only use this for accounts that are already heavily restricted or have other robust, documented security measures in place. Never apply this to standard user accounts if you can avoid it.
Method 1: Using WMIC (For Local Accounts)
The WMIC utility is the most reliable way to modify the PasswordExpires property of a local Windows account.
@echo off
setlocal
:: Check for admin rights
net session >nul 2>&1
if %errorlevel% neq 0 (
echo [ERROR] Administrator privileges are required.
pause
exit /b 1
)
set /p "USN=Local account name: "
if "%USN%"=="" (
echo [ERROR] No username entered.
pause
exit /b 1
)
:: Verify the account exists
wmic useraccount where name='%USN%' get name >nul 2>&1
if %errorlevel% neq 0 (
echo [ERROR] Local account "%USN%" not found.
pause
exit /b 1
)
echo [PROCESS] Disabling password expiration for: "%USN%"...
:: Setting PasswordExpires to 'FALSE' means it will Never Expire
wmic useraccount where name='%USN%' set passwordexpires=false >nul 2>&1
if %errorlevel% equ 0 (
echo [SUCCESS] Password for "%USN%" is now set to never expire.
echo [REMINDER] Schedule a manual rotation every 12-24 months.
) else (
echo [ERROR] Failed to update. Code: %errorlevel%
)
pause
Method 2: Using DSMOD (For Domain Accounts)
If your account is part of an Active Directory domain, you use the dsmod tool and the user's "Distinguished Name" (DN).
@echo off
setlocal
:: Check for RSAT tools
where dsmod >nul 2>&1
if %errorlevel% neq 0 (
echo [ERROR] dsmod.exe not found. Install RSAT tools first.
echo [HELP] Settings ^> Apps ^> Optional Features ^> Add RSAT
pause
exit /b 1
)
:: Check for admin rights
net session >nul 2>&1
if %errorlevel% neq 0 (
echo [ERROR] Administrator privileges are required.
pause
exit /b 1
)
set "USER_DN=CN=AppService,OU=Services,DC=Company,DC=com"
echo [PROCESS] Updating Active Directory object...
:: -pwdneverexpires = yes
dsmod user "%USER_DN%" -pwdneverexpires yes
if %errorlevel% equ 0 (
echo [SUCCESS] Password expiration disabled for the domain account.
) else (
echo [ERROR] Failed. Verify the DN and your permissions.
)
pause
Creating a Service Account Provisioning Tool
This professional script validates the account, shows current settings, and applies several "Resilience" flags with confirmation.
@echo off
setlocal EnableDelayedExpansion
echo ============================================================
echo Service Account Resilience Provisioner
echo ============================================================
:: 1. Verify Admin Rights
net session >nul 2>&1
if %errorlevel% neq 0 (
echo [CRITICAL] Admin rights REQUIRED for WMI security edits.
pause
exit /b 1
)
:: 2. Get target account
set /p "TARGET=Enter Local Account Name: "
if "!TARGET!"=="" (
echo [ERROR] No account name entered.
pause
exit /b 1
)
:: Verify account exists
wmic useraccount where name='!TARGET!' get name >nul 2>&1
if !errorlevel! neq 0 (
echo [ERROR] Local account "!TARGET!" not found.
pause
exit /b 1
)
:: 3. Show current status
echo.
echo [CURRENT] Account settings for "!TARGET!":
wmic useraccount where name='!TARGET!' get name, passwordexpires, passwordchangeable 2>nul
echo.
:: 4. Confirm before applying
set /p "CONFIRM=Apply service account hardening? (Y/N): "
if /i not "!CONFIRM!"=="Y" (
echo [INFO] Cancelled. No changes made.
pause
exit /b 0
)
:: 5. Apply "Set and Forget" Security
echo [PROCESS] Hardening "!TARGET!" for persistent service use...
:: Disable Password Expiration (via WMI)
wmic useraccount where name='!TARGET!' set passwordexpires=false >nul 2>&1
if !errorlevel! equ 0 (
echo [PASS] Password expiration disabled.
) else (
echo [FAIL] Could not disable password expiration.
)
:: Block User from Changing Password (via Net User)
net user "!TARGET!" /passwordchg:no >nul 2>&1
if !errorlevel! equ 0 (
echo [PASS] User cannot change password.
) else (
echo [FAIL] Could not restrict password changes.
)
:: 6. Verify final state
echo.
echo [VERIFY] Updated settings:
wmic useraccount where name='!TARGET!' get name, passwordexpires, passwordchangeable 2>nul
echo.
echo [SUCCESS] Account configuration complete.
echo [REMINDER] Schedule a manual password rotation every 12-24 months.
echo ============================================================
pause
Common Pitfalls and How to Avoid Them
Administrative Rights
Modifying account longevity properties requires Administrator privileges. If run from a standard user terminal, wmic will return an "Access Denied" error or "No Instance(s) Available."
Global GPO Overrides
In some high-security environments, a "Default Domain Policy" might be configured to ignore the "Never Expire" flag on local accounts.
Advise your users that if their script reports success but the password still expires, they should check their Group Policy (GPO) settings under Computer Configuration > Windows Settings > Security Settings > Account Policies.
Best Practices for Password Permanency
- Monitor the Usage: Just because a password never expires doesn't mean it should never be changed. Schedule a manual rotation every 12-24 months for your service accounts.
- Limit Access: Ensure that accounts set to "Never Expire" have the absolute minimum permissions (Principle of Least Privilege). They should never be members of the "Administrators" group if it can be avoided.
- Audit Regularly: Use your script to audit your user list once a month:
wmic useraccount get name, passwordexpires. If you find a human user withPasswordExpires=FALSE, investigate immediately.
Note that wmic queries the Local machine. Even if a user is a Domain User, wmic useraccount will only reflect the local cache of that user on that specific computer. Always use dsmod or PowerShell for network-wide changes.
Conclusion
Setting a password to never expire via Batch script is an essential task for ensuring the reliability of background services and automated systems in a professional Windows environment. By leveraging the wmic and dsmod utilities to automate this configuration, you can prevent unnecessary system downtime and simplify the management of specialized accounts. This professional approach to system administration balances operational necessity with security awareness, providing a clear and reliable mechanism for maintaining your organization's most critical identities across the entire Windows network.