Use the following steps to create an access template to prevent setting a user's password to never expire:
- Launch the Active Roles Server MMC console
- Navigate to the following: Configuration | Access Templates
- Right-click on the Access Templates container and select New | Access Template
- Provide a name for the access template such as, "Deny - Password Never Expires"
- Click Add, select 'Only the following classes' and check off 'User', click Next.
- Select 'Object property access', check off 'Deny permission', check off 'Read properties' and 'Write properties', click Next.
- Select 'The following properties' and check off 'Show all possible properties', check off 'Password Never Expires', click Finish.
- You'll see the permission listed as 'Deny, Read/Write Password Never Expires, User', click Next.
- You'll see the summary, click Finish.
Once your access template is created, you can assign it to the appropriate scope and users/groups to deny access to the 'Password Never Expires' for user accounts.