set Password expiration date in AD
I am writing a policy where I have to set password expiration time with respect to employeeType.
But the problem I am facing is i am unable to set password expiration time inside Active-Directory.
I did get the attribute name msDS-UserPasswordExpiryTimeComputed but unable to set values.
I did get the point in eDirec is value is iCTIME and AD has different time format.
Please help me out or any other policy you may have i.e resolving my problem
As far as I know you cannot set pwdLastSet attribute in AD to anything else but zero (0).
Zero (0) means the user must change password at next logon. Other than that I don't think AD allows you to set any other value.
MsDS-UserPasswordExpiryTimeComputed seems to just be a virtual attribute that is actually pwdLastSet:
msDS-UserPasswordExpiryTimeComputed has user password expiry time.
Yes, you can read it and it contains when the password needs to be updated. But it is a read only attribute that calculates based on pwdLastSet (and other things such as applied (fine grained) password policy).
Also found this one:
So you can set it to -1 and that sets pwdLastSet to current date/time according to the link above.
Only the system can modify the pwdLastSet attribute to any value other than 0 or -1.
If you assign 0, the password is immediately expired. Then when the user changes their password the current date/time is assigned by the system to the pwdLastSet attribute.
The value -1 corresponds to the largest integer allowed in a 64-bit attribute, 2^63-1. This value does the reverse of 0. It makes the password not expired. When the user next logs on, the pwdLastSet attribute will be set by the system to the value corresponding to the current date/time.