3.1.1.4.5.33 msDS-UserPasswordExpiryTimeComputed

The msDS-UserPasswordExpiryTimeComputed attribute exists on AD DS but not on AD LDS.

This attribute indicates the time when the password of the object will expire. Let TO be the object on which the attribute msDS-UserPasswordExpiryTimeComputed is read. If TO is not in a domain NC, then TO!msDS-UserPasswordExpiryTimeComputed = null. Otherwise let D be the root of the domain NC containing TO. The DC applies the following rules, in the order specified below, to determine the value of TO!msDS-UserPasswordExpiryTimeComputed:

  • If any of the ADS_UF_SMARTCARD_REQUIRED, ADS_UF_DONT_EXPIRE_PASSWD, ADS_UF_WORKSTATION_TRUST_ACCOUNT, ADS_UF_SERVER_TRUST_ACCOUNT, ADS_UF_INTERDOMAIN_TRUST_ACCOUNT bits is set in TO!userAccountControl, then TO!msDS-UserPasswordExpiryTimeComputed = 0x7FFFFFFFFFFFFFFF.

  • Else, if TO!pwdLastSet = null, or TO!pwdLastSet = 0, then TO!msDS-UserPasswordExpiryTimeComputed = 0.

  • Else, if Effective-MaximumPasswordAge = 0x8000000000000000, then TO!msDS-UserPasswordExpiryTimeComputed = 0x7FFFFFFFFFFFFFFF (where Effective-MaximumPasswordAge is defined in [MS-SAMR] section 3.1.1.5).

  • Else, TO!msDS-UserPasswordExpiryTimeComputed = TO!pwdLastSet + Effective-MaximumPasswordAge (where Effective-MaximumPasswordAge is defined in [MS-SAMR] section 3.1.1.5).