The world is moving towards non-expiring passwords. Even Microsoft themselves seems to agree. Well, we came out with a nifty way (IMHO) to implement this in our organization. Firstly, we kept our default domain password expiration policy, then we set up fine-grained password policy and apply it to normal user account. The FGPP will lift the password expiry, and put in account lockout rules. This way, we can ensure that other special cases will get applied the default domain policy and have passwords expire as usual.
So all worked well, except for OWA, which still shows password expiry date based on default domain policy. This means that users will be bugged to change their passwords, when their passwords will not actually expire anyway.
There's no real solution for this. Even Microsoft themselves acknowledged this and offered a few workarounds, but those aren't really practical. One of their workarounds was to disable OWA's password change feature. This is not ideal, but still acceptable, so we decided to go with that.
But the problem doesn't stop there. EWS has included a new function in its API since 2010 SP1, GetPasswordExpirationDate, which also has the same behavior. As a result, all Mac Outlook clients (and any other client making use of this EWS call) will keep bugging our users with password expiry notification.
We still have no solution, but it's good to know the technical details.
