I'm trying to figure out how to make it so that all members of a distribution list (DL) don't have their passwords expire. I know that using mggraph can help a service account avoid password expiration, but I'm looking for a way to apply this to all members of a DL. I've heard it might be possible to set a group of service accounts to have non-expiring passwords, but I can't find a clear guide on how to do this.
Is there a method to control password expiration based on groups? And if none of the members seem to have an expiration policy, how are they managing not to expire?
2 Answers
Have you checked the audit logs for those users? I suspect someone may have run a PowerShell script to change the expiration settings for all members in the distribution list.
That's puzzling! It might help to double-check any inherited group policies or specific settings at the organizational level that could affect those users.
A good rule of thumb is to avoid using distribution lists for anything related to access control or security. Instead, I recommend creating a separate security group just for managing those permissions, and keep your DL for email distribution only. It's a cleaner approach!
Also, if you're managing both communication and security aspects, consider using Microsoft 365 groups. They allow group owners to manage membership directly in Teams and Outlook, which can make things smoother.
But how do you control password policies for the members in that security group? I'm trying to understand how a specific group seems to not have expiring passwords when their policies don’t explicitly state it. Is there a way to trace the linked policies?
I looked into it, but the individual user fields for password policies are blank. There's no 'disable password expiration' setting, and they still don’t expire. I really want to figure out where this policy is coming from.