You should also look at MsDS-UserPasswordExpiryTimeComputed.

In determining if a entry's password is expired in AD, you must complete the following sub-tasks:

  • Determine if a user account password is set to expire. If the user's Password never expires option is enabled, there's no need to calculate password expiration.
  • Determine when last the user changed their password. If the user's Password never expires option is disabled, as it should be, the next task is to determine when the user last changed their password.
  • Determining what the maximum password age is in the domain. Now that you know that a user account password is set to expire and when last the user changed their password, the next step is to determine the length of time a user is allowed to use their password. This value is dictated by domain policy, so you must read this value from the user's domain. One small caveat here is if the maximum password age in the domain is set to 0, passwords in the domain do not expire. The script must account for this exception.
  • Determine the current date. Knowing the current date, the date when the password was last changed, and the max-Pwd-Age Attribute in the Domain root object allows an application to calculate how many days remain before a password must be changed.

The algorithm is essentially this:

if "password change date" + "max password age" >= "now"   "password is expired"

Typically, Windows monitors password expiration and will inform a user that her password is expiring soon when she logs on locally to Windows. It then provides a mechanism to change the password. As long as the user changes her password before it expires, they can continue to log in to the domain and all is good. However, if the password expires, then the user cannot log in again until an administrator resets it.

This situation is not as straightforward for LDAP users, as there is no natural "login" process that informs users of pending password expiration and prompts them for a password change. Instead, it is completely up to the developer to supply both a notification and a means by which to change a password when using LDAP.

Programmatic LDAP binds to either directory must be handled explicitly by the developer, as we will not be warned of pending password expiration. Once a password has expired, all LDAP binds will fail until the password is reset by the user or an administrator.

AD determines if a user's password is expired by using the date the pwdLastSet + the interval of pwdMaxAge compared to now().


First we need to know if the entry's DONT_EXPIRE_PASSWORD from the User-Account-Control Attribute. The DONT_EXPIRE_PASSWORD value always takes precedence over other aspects of the password policy.

We can find all the users from LDAP who do NOT have DONT_EXPIRE_PASSWORD set by inspecting the User-Account-Control Attribute Values with a filter like:

This indicates that the user's password could expire.

These are the users we would want to be included in our results.

pwdLastSet #

The pwdLastSet is the date, in AD format, when the password was last set on the entry.


The maxPwdAge attribute specifies the maximum amount of time that a password is valid. It is stored as the number of 100-nanosecond intervals from the time the password was set until the password expires. The value is obtained from the Domain root object when using LDAP the value of the maxPwdAge on the domain container. For our test server, it is:
    | - pwdMaxAge=-37108517437440
So I think we do not provide a pwdMaxAge for our domain.

Now we need to enumerate the result from the query above that returns the entries which passwords could expire. Then each result you would need to perform a test like:

if ((pwdMaxAge + pwdLastSet)) <=now())
   "Password is expired"

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-27) was last changed on 03-May-2016 14:29 by jim