Overview #

MsDS-UserPasswordExpiryTimeComputed Virtual Attribute Attribute indicates the time when the password of the entry will expire. [1]

MsDS-UserPasswordExpiryTimeComputed performs the AD Determining Password Expiration calculations.

In Microsoft Active Directory Virtual Attribute cannot be returned as value data in an LDAP search request unless the search scope is set to "base" which means that the LDAP client accesses only one single entry.

The msDS-UserPasswordExpiryTimeComputed attribute exists on AD DS but not on AD LDS.

If USER is the Entry on which the attribute msDS-UserPasswordExpiryTimeComputed is read.

If USER is not in a domain NC, then USER:msDS-UserPasswordExpiryTimeComputed = null.

If DC is the root of the domain NC containing USER. The DC applies the following rules, in the order specified below, to determine the value of USER:msDS-UserPasswordExpiryTimeComputed: If any of the following are set bits is set on USER entry:User-Account-Control Attribute:

then USER:msDS-UserPasswordExpiryTimeComputed = 0x7FFFFFFFFFFFFFFF.

If pwdLastSet = null or pwdLastSet = 0, #

then USER:msDS-UserPasswordExpiryTimeComputed = 0.

if Effective-MaximumPasswordAge = 0x8000000000000000 #

then USER:msDS-UserPasswordExpiryTimeComputed = 0x7FFFFFFFFFFFFFFF (where Effective-MaximumPasswordAge is defined in MS-SAMR section 3.1.1.5).

Otherwise #

  • msDS-UserPasswordExpiryTimeComputed = USER:pwdLastSet + Effective-MaximumPasswordAge (where Effective-MaximumPasswordAge is defined in MS-SAMR section 3.1.1.5).

More Information #

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-6) was last changed on 30-Jan-2016 15:59 by jim