MsDS-UserPasswordExpiryTimeComputed allows you to get the date the MSA's Password Expiration DateTime
The algorithm is essentially this:
if "pwdLastSet" + "Max-Pwd-Age" >= "now" "password is expired"
Typically, the Windows Client monitors Password Expiration and will inform a user that the password is expiring soon when they perform a logon locally to Windows Client. It then provides a mechanism for Password Change. As long as the user changes the password before Password Expired, they can continue to log in to the domain and all is good. However, if the password expires, then the user cannot log in again until an Administrative Password Reset occurs.
This situation is not as straightforward for LDAP users, as there is no natural "login" process that informs users of pending Password Expiration and prompts them for a Password Change. Instead, it is completely up to the developer to supply both a notification and a means by which to advise a Password Change when using LDAP.
Once a password has expired, all LDAP Bind Requests will fail (with ERROR_PASSWORD_EXPIRED) until a Password Reset is performed.
We can find all the users from LDAP who do NOT have DONT_EXPIRE_PASSWORD set by inspecting the User-Account-Control Attribute Values with a filter like:
(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=65536))This indicates that the user's password could expire.
These are the users we would want to be included in AD Determining Password Expiration.
CN=Builtin,DC=mad,DC=willeke,DC=com
| - pwdMaxAge=-37108517437440
Which is "Sun, 19 Nov 1600 01:12:28 GMT", So I think we do not provide a pwdMaxAge for our domain.
Now we need to enumerate the result from the query above that returns the entries which passwords could expire. Then each result you would need to perform a test like:
if ((pwdMaxAge + pwdLastSet)) <=now())
{
"Password is expired"
}
You should also look at MsDS-UserPasswordExpiryTimeComputed.