PasswordExpirationTime has an OID of 2.16.840.1.113719. and is the value when Password Expiration occurs. (Not considering Grace Logins)

The value is set on a user whenever a Password Modify Operation happens or whenever a Edirectory Password Policy is set for "Number of days before password expires" which will set the PasswordExpirationTime value on the user.

PasswordExpirationTime can be set to an "earlier" time than the calculated setting form the Edirectory Password Policy and the value will be honored. PasswordExpirationTime can NOT be se to a later value.

When using EDirectory, to to make the PasswordExpirationTime effective, you must also Enable Grace Logins.
Some setting similaer to:

How is the password expiration time calculated when using the NMAS Universal Password?#

The determination of whether a user's NMAS Universal Password has expired is not totally based on using the date and time value for the PasswordExpirationTime Attribute Value for a user. It is used but is first calculated dynamically on login then compared to it.

The Universal Password Password Expired Algorithm performs the following calculations:

PasswordExpirationTime is calculated#

PasswordExpirationTime is calculated by adding the passwordExpirationInterval to the pwdChangedTime.

PasswordExpirationTime is calculated when there is a Password Modify Operation (determined from the PwdChangedTime) and and it is recalculated during login if the passwordExpirationInterval has been changed to a shorter amount of time or if the Edirectory Password Policy has been changed.

Password Reset and PasswordExpirationTime#

Edirectory Administrative Password Changes may affect the values for PasswordExpirationTime.

LDAP Attribute Definition#

The PasswordExpirationTime AttributeTypes is defined as:

More Information#

There might be more information for this subject on one of the following: