Overview #

MsDS-UserPasswordExpiryTimeComputed Virtual Attribute Attribute indicates the time in LargeInteger Date format when the password of the entry will expire. [1]

MsDS-UserPasswordExpiryTimeComputed performs the AD Determining Password Expiration calculations.

In Microsoft Active Directory Virtual Attribute can be returned as value data in an LDAP SearchRequest.

If USER is the Entry on which the attribute msDS-UserPasswordExpiryTimeComputed is read.

If USER is not in a domain NC, then USER:msDS-UserPasswordExpiryTimeComputed = null.

If DC is the root of the domain NC containing USER. The DC applies the following rules, in the order specified below, to determine the value of USER:msDS-UserPasswordExpiryTimeComputed: If any of the following are set bits is set on USER entry:User-Account-Control Attribute:

• ADS_UF_SMARTCARD_REQUIRED
• ADS_UF_DONT_EXPIRE_PASSWORD
• ADS_UF_WORKSTATION_TRUST_ACCOUNT
• ADS_UF_SERVER_TRUST_ACCOUNT
• ADS_UF_INTERDOMAIN_TRUST_ACCOUNT

then USER:msDS-UserPasswordExpiryTimeComputed = 0x7FFFFFFFFFFFFFFF.

If pwdLastSet = null or pwdLastSet = 0, #

then USER:msDS-UserPasswordExpiryTimeComputed = 0.

if Effective-MaximumPasswordAge = 0x8000000000000000 #

then USER:msDS-UserPasswordExpiryTimeComputed = 0x7FFFFFFFFFFFFFFF (where Effective-MaximumPasswordAge is defined in MS-SAMR section 3.1.1.5).

Otherwise #

• msDS-UserPasswordExpiryTimeComputed = USER:pwdLastSet + Effective-MaximumPasswordAge (where Effective-MaximumPasswordAge is defined in MS-SAMR section 3.1.1.5).

More Information #

There might be more information for this subject on one of the following:

• AD Determining Password Expiration

---

• [#1] - MSDN-msDS-UserPasswordExpiryTimeComputed - based on information observed on 2014-08-11