Skip to main content

How to force users to change their password periodically on Windows 10

Windows 10 packs a lot of great security features, including biometric authentication with Windows Hello, malware protection with Windows Defender, and Windows Update to keep your device up to date and secure. However, even with all these features, your PC can still be vulnerable to unauthorized access if you keep using the same password for a long time.

Although users can change their password at any time, you can also configure the operating system to ask users to change it periodically.

There are at least three methods to do this, but the method you need to use will always depend on the edition of Windows your PC is running, and whether you're using a local or Microsoft account.

In this Windows 10 guide, we'll walk you through the steps to force users to change their password after a specific number of days to keep accounts a little more secure.

How to enforce password change using Group Policy

If you're running Windows 10 Pro, Enterprise, or Education, you can use the Local Group Policy Editor to quickly configure the time (in days) before users must change their password for a local account.

  1. Use the Windows key + R keyboard shortcut to open the Run command.
  2. Type gpedit.msc and click OK to open the Local Group Policy Editor.
  3. Browse the following path:Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy
  4. On the right side, double-click the Maximum password age policy.

  1. Set the number of days a password can be used before Windows 10 requires users to change it. (A good rule of thumb is to select 72 days.)
  2. Click OK to complete the task.

After the period of time specified, users will get prompted to change their password as they try to sign in.

It's worth pointing out that there along with the maximum password age option, you can also force users to use a more complex password and even implement a password history, so they don't reuse an old password.

Here are the password policies available:

  • Enforce password history
  • Minimum password age
  • Minimum password length

How to enforce password change using Command Prompt

Windows 10 Home doesn't include the Local Group Policy Editor, but you can use Command Prompt to accomplish the same result.

  1. Open Start.
  2. Search for Command Prompt.
  3. Right-click the result and select Run as administrator.
  4. Type the following command to enable password to expire and press Enter:wmic UserAccount set PasswordExpires=True
  5. Type the following command to set the number of days a password can be used before Windows 10 requires users to change it and press Enter:net accounts /maxpwage:72

  1. Type the following command to review your new password policy and press Enter:net accounts

After the period of time specified, similar to Group Policy, users will get a prompt to change their password as they try to sign in.

If you want to enforce password expiration for one user, then you can use the same steps, but on step 4, use this command instead:

wmic UserAccount where Name='USERNAME' set PasswordExpires=True

Note: Remember to replace "USERNAME" with the name of the account you want the password to expire.

How to enforce password change on a Microsoft account

If you're using a Microsoft account, the steps we mentioned earlier won't work. However, you can enable an option on your account to make you change your password every 72 days.

  1. Open your browser and sign in to your Microsoft account{.nofollow}.
  2. On Security & privacy, click on the Change password link.
  3. Create a new password.
  4. Check the Make me change my password every 72 days option.

  1. Click Next to complete the task.

The caveat with this option is that you don't have the flexibility to choose a number of days, but 72 days is one of the most common recommended time frames to force users to change their account password.

In addition, it's important to note that with this change, you will not only be making your Windows 10 account more secure, but every other service you use with a Microsoft account, including OneDrive, Outlook.com, Skype, and others.

Keep in mind that while we're focusing this guide on Windows 10, you can use the steps to use Group Policy and Command Prompt to force users to change their passwords on Windows 8.1 and Windows 7.

Do you periodically change your account password on Windows 10? Tell us in the comments below.

More Windows 10 resources

For more help articles, coverage, and answers on Windows 10, you can visit the following resources:

Mauro Huculak is technical writer for WindowsCentral.com. His primary focus is to write comprehensive how-tos to help users get the most out of Windows 10 and its many related technologies. He has an IT background with professional certifications from Microsoft, Cisco, and CompTIA, and he's a recognized member of the Microsoft MVP community.

16 Comments
  • "Frequent Password changes are the enemy of security..." http://arstechnica.com/security/2016/08/frequent-password-changes-are-th...
  • uninstall windows 10
  • Interesting article, thanks for sharing. ..i tend to agree. ..I've tried this in the past, changing passwords frequently, and have had a hard time resetting password for them. Also since I've so many accounts Microsoft, Google, Flipkart, banks, etc it becomes Impossible to remember the right password for the right site/account at the right time. So like what someone else suggested, i prefer the style where you make one super strong password and then stick to it for a while, at least a year.
  • My personal strategy is to have one really strong password that I can remember and I use that for my password manager.  Everything else is randomly generated and stored in that.  I don't ever change any of these passwords unless the company/site requires me to.   Two factor authentication is also turned on for everything that supports it (including the password manager).
  • There's no need to constantly change your passwords, as long as you have a strong password; that is the best option.
  • I also think so. But the company I work for doesn't :D I have to change my password on half of the internal apps every month, just like the password of my account itself, that I access the server with. I don't even know what to use as a password now, so I end up using stupid ones like Onionbeans94 and stuff like that. :D So god bless password managers xD
  • Yeah everywhere I have to have a password that requires it to be changed on a regular basis it just ends up becoming something like 'Onionbeans1', then next time 'Onionbeans2', then 'Onionbeans​3', etc.
  • Even Microsoft once did a study that showed enforcing password changes did more harm than good
  • Sorry my devices are password free! Hated it in days of DOS, and the rest is history.
  • In other news, you can do alot of stuff with Group Policy. Nothing new here folks.
  • "Regular password changing harms rather than improves security, so avoid placing this burden on users. However, users must change their passwords on indication or suspicion of compromise." https://www.gov.uk/government/uploads/system/uploads/attachment_data/fil...
  • Stop pushing the myth that frequent passwords leads to better security
  • Changing passwords every time is so safe that even yourself will be restricted!
  • The only thing increased by constantly changing passwords, is user's familiarity with their help desk, or password reset mechanisms.
  • But this all does not get through to people deciding to propagate this story of ever changing passwords or enforcing it on coworkers only to say later: they did all they could to enhance (and hereby sabotage) the security of their company. Why not enforcing to change biometric data in Windows Hello? Replacing the user would be even better, no one would ever know which one needs to be bribed in order to get access to desired information.
  • Unless you change passwords every hour by the time you actually change your passwords it's already too late. Anyone that steals your passwords would use them right away, not wait for weeks or months. People that are foced to regularly change their passwords often resort to some kind of logical system to generate and remember their passwords. Therefore forcing people to regularly change their passwords is bad policy.