3.1.5.14.3 PasswordCanChange Generation

The PasswordCanChange value is computed as follows:

1. If either the dBCSPwd attribute or the unicodePwd attribute does not have a value, or if either of these is equal to the respective hash of a zero-length string, PasswordCanChange MUST be 0.

2. Otherwise, the PasswordCanChange value MUST be the pwdLastSet attribute value on the user object plus the Effective-MinimumPasswordAge attribute value (see section 3.1.1.5).