CESG state that users should not be forced to undergo regular password changes as it often harms, rather than improves security. Does this logic apply to administrators as well, such as domain admins?
https://www.ncsc.gov.uk/guidance/password-guidance-simplifying-your-approach
Yes; admins should not be rotating their passwords either. As an administrator my passwords are completely randomized and stored encrypted. For me to change my password only adds "secret" rotation. However, me changing my password to yet another random password doesn't add any security in whether or not the password can be cracked or not. I would actually argue that if your current random password is not in a dictionary somewhere and then a new random password you pick you're rolling the dice that the password is also not in a dictionary somewhere and also harder to crack; so each time you change the password when there is no reason to you are rolling the dice that the password may be harder to crack.
NIST SP 800-63B agrees with me believe it or not:
Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
Basically, with the assumption that your password policy is sufficiently complex, you should only have users change their password if they feel like it (personal preference) or force them to if you suspect their account may have been compromised.
Another valid reason to not change your password regularly when its un-needed is that normal users will almost always use a simple variation of the previous password. For example, if their password was mTpaGFrsYht12 they make it 1mTpaGFrsYht12; if their account was compromised then any password cracking tool like john would discover that new "rotated" password. Not to mention, if someone has compromised the network and is collecting hashes, each new password change is a hash and therefore a new password that the attacker can store in their database and attempt to crack offline.
The problem with passwords in security authorization is weak passwords, not strong passwords with weak secret rotation.
To not start this answer with "it depends", I will start this answer with:
There are two ways to answer this.
In your opinion: Are administrators also users and do they operate on the plane of mere mortals? If yes, then the logic of the NCSC does indeed apply to administratos as well. Are administrators a special breed and above the law? If you agree to that, then special rules should apply to them. How exactly these special rules are formulated depends from organization to organization and cannot be answered generically. A higher authority in an organization (a security team for instance) has to look at the advice that is given by the NCSC, then has to take a hard look at the operating administrators and then formulate some rules.
This entirely depends on your level of trust towards the authority you are citing. Do you trust higher authorities in general? If so, then you are in luck. Because in my (and others) opinion the NCSC gives out very good advice on IT security and is a formidable source. I have not read the source you have given in full, but I think I have understood the gist of it. If the NCSC does not make a difference between administrators and users and other authorities like NIST does not as well in their Special Publication towards Authentication and Lifecycle Management, why should you?
