> one user account always has the ability to log in no matter how long a system has been offline

To me, it's pretty clear.

Assume that every password has an expiration date. Having not logged in to the system long enough, you end up with a system where every password has expired. A relatively reasonable thing to do then is to accept some previously valid password, and direct the user to the password reset flow. Else you end up with a system that rejects every login.

A much more reasonable thing to do would be to accept rescue codes in this situation, of use 2FA so that passwords expiration is not needed. But I bet the security checklists used by some behemoth insurance companies predate these inventions, nobody wants to alter them, and companies who don't want to pay higher IT insurance premiums have to follow these outdated and inefficient practices.

>Else you end up with a system that rejects every login.

That's called security.

How is it called if a compromised password can still be used to connect per RDP?

> but I don't think that unless you tick the box in ADUC that your password will be stored unencrypted, it will be stored unencrypted (hashed or whatever).

The only option is to use a 'reversible encryption'.

https://learn.microsoft.com/en-us/previous-versions/windows/...