Disable: 'Do not allow password expiration time longer than required by policy' When you enable this setting, planned password expiration longer than password age dictated by "Password Settings" policy is NOT allowed. When such expiration is detected, password is changed immediately and password expiration is set according to policy. When you disable or not configure this setting, password expiration time may be longer than required by "Password Settings" policy. Counter Measure: Enable this setting. Potential Impact: Users must change their device password with the frequency specified.

[enable/disable]

(1) GPO: Computer ConfigurationAdministrative TemplatesLAPSDo not allow password expiration time longer than required by policy (2) REG: HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoft ServicesAdmPwdPwdExpirationProtectionEnabled