AD Determining Password Expiration


AD Determining Password Expiration is how Microsoft Active Directory determines Password Expiration

MsDS-UserPasswordExpiryTimeComputed allows you to get the date the MSA's Password Expiration DateTime

AD Determining Password Expiration Algorithm#

In determining if a Password Expired condition exists Microsoft Active Directory, you must complete the following sub-tasks:

The algorithm is essentially this:

if "pwdLastSet" + "Max-Pwd-Age" >= "now"   "password is expired"

Typically, the Windows Client monitors Password Expiration and will inform a user that the password is expiring soon when they perform a logon locally to Windows Client. It then provides a mechanism for Password Change. As long as the user changes the password before Password Expired, they can continue to log in to the domain and all is good. However, if the password expires, then the user cannot log in again until an Administrative Password Reset occurs.

This situation is not as straightforward for LDAP users, as there is no natural "login" process that informs users of pending Password Expiration and prompts them for a Password Change. Instead, it is completely up to the developer to supply both a notification and a means by which to advise a Password Change when using LDAP.

Once a password has expired, all LDAP Bind Requests will fail (with ERROR_PASSWORD_EXPIRED) until a Password Reset is performed.


First we need to know if the entry's DONT_EXPIRE_PASSWORD from the User-Account-Control Attribute. The DONT_EXPIRE_PASSWORD value always takes precedence over other aspects of the Password Policy.

We can find all the users from LDAP who do NOT have DONT_EXPIRE_PASSWORD set by inspecting the User-Account-Control Attribute Values with a filter like:

This indicates that the user's password could expire.

These are the users we would want to be included in AD Determining Password Expiration.

pwdLastSet #

The pwdLastSet is the date, in LargeInteger, when the password was last set on the entry.


The maxPwdAge attribute specifies the maximum amount of time that a password is valid. It is stored in LargeInteger and is time the password was set until the password expires. The value is obtained from the Domain root object when using LDAP the value of the maxPwdAge on the domain container. For our test server, it is:
    | - pwdMaxAge=-37108517437440
Which is "Sun, 19 Nov 1600 01:12:28 GMT", So I think we do not provide a pwdMaxAge for our domain.

Now we need to enumerate the result from the query above that returns the entries which passwords could expire. Then each result you would need to perform a test like:

if ((pwdMaxAge + pwdLastSet)) <=now())
   "Password is expired"

You should also look at MsDS-UserPasswordExpiryTimeComputed.

More Information#

There might be more information for this subject on one of the following: