Hereunder a nice “feature” I just learned about :
It’s possible to deny the permission to tick the case “Password Never Expire”, while keeping the possibility to enable/disable the account, and manipulate the other bits of the “UserAccountControl”.
I think this is useful for help desk people and delegated administrators, to ensure they change their passwords regularly, without affecting their ability to work.
This is an ACL at the domain level :
Note : This ACL is defaulted to “Allow”.
I just modified to deny this permissions, and try to tick that case with the “Administrator” account :
This case is click-able, but you can’t apply your modifications :
You have some others permissions that can be pretty handy domain-wide :