Export (0) Print
Expand All
Expand Minimize

3.1.1.4.5.26 msDS-UserPasswordExpired

The msDS-UserPasswordExpired attribute exists on AD LDS but not on AD DS.

Let TO be the object from which the msDS-UserPasswordExpired attribute is being read. Let ST be the current time, read from the system clock.

If the machine running AD LDS is joined to a domain, let D be the root of the domain NC of the joined domain. Then TO!msDS-UserPasswordExpired is true if all of the following are true:

  • The LDAP configurable setting ADAMDisablePasswordPolicies ≠ 1.

  • None of bits ADS_UF_SMARTCARD_REQUIRED, ADS_UF_DONT_EXPIRE_PASSWD, ADS_UF_WORKSTATION_TRUST_ACCOUNT, ADS_UF_SERVER_TRUST_ACCOUNT, ADS_UF_INTERDOMAIN_TRUST_ACCOUNT is set in TO!userAccountControl.

  • TO!pwdLastSet = null, or TO!pwdLastSet = 0, or (D!maxPwdAge ≠ 0x8000000000000000 and (ST - TO!pwdLastSet) > D!maxPwdAge)).

If the machine running AD LDS is not joined to a domain, then TO!msDS-UserPasswordExpired is true if all of the following are true:

  • The LDAP configurable setting ADAMDisablePasswordPolicies ≠ 1.

  • None of bits ADS_UF_SMARTCARD_REQUIRED, ADS_UF_DONT_EXPIRE_PASSWD, ADS_UF_WORKSTATION_TRUST_ACCOUNT, ADS_UF_SERVER_TRUST_ACCOUNT, ADS_UF_INTERDOMAIN_TRUST_ACCOUNT is set in TO!userAccountControl.

  • TO!pwdLastSet = null, or TO!pwdLastSet = 0, or (ST - TO!pwdLastSet) > X, where X is determined by the policy of the machine on which AD LDS is running.

 
Show:
© 2015 Microsoft