PasswordExpirationTime has an OID of 2.16.840.1.113719. and is the value when Password Expiration occurs. (Not considering Grace Logins)

The value is set on a user whenever a Password Modify Operation happens or whenever a Edirectory Password Policy is set for "Number of days before password expires" which will set the PasswordExpirationTime value on the user.

PasswordExpirationTime can be set to an "earlier" time than the calculated setting form the Edirectory Password Policy and the value will be honored. PasswordExpirationTime can NOT be se to a later value.

When using EDirectory, to to make the PasswordExpirationTime effective, you must also Enable Grace Logins.
Some setting similaer to:

PasswordExpirationTime is calculated#

PasswordExpirationTime is calculated by adding the passwordExpirationInterval to the pwdChangedTime.

PasswordExpirationTime is calculated when there is a Password Modify Operation and and it is recalculated during login if the passwordExpirationInterval has been changed to a shorter amount of time or if the Edirectory Password Policy has been changed.

Password Reset and PasswordExpirationTime#

Edirectory Administrative Password Changes may affect the values for PasswordExpirationTime.

LDAP Attribute Definition#

The PasswordExpirationTime AttributeTypes is defined as:

More Information#

There might be more information for this subject on one of the following: