While there are queries that can be run in Active Directory Administrative Center to determine which accounts haven’t had their passwords changed recently, this is not a task that’s likely to be performed by anyone outside the administration team.
Ultimately whether your select the “password never expires” option is up to you. Enabling it does reduce the security of your organization and with the advent of managed service accounts, there are fewer reasons to use static passwords with any user account
Solution – Best Practice
- Reconfigure the Administrator account’s properties to expire the password after a specified duration per the site’s policy.
- Ideally domain-wide policies should be set on the Domain Controller so that all Windows hosts on the domain comply automatically and each individual host does not need to be configured.
Note that the Administrator account on the Domain Controller(s) will always have a password that does not expire since the option check box in the properties dialog box for this account is unchecked.