ADManager plus uses the LDAP attributes of users and other objects to manage and generate reports. However, the password expiry of users is not a direct LDAP attribute in Active Directory. Instead, it is calculated based on the pwdLastSet attribute and the maximum password age specified in the password policy of the Group Policy Object (GPO) or Password Settings Object (PSO) applied to the user.
We cannot manually set a date in the pwdLastSet attribute as it is only updated by the system or AD. Here are some alternate ways to extend the password expiry of users:
Setting the pwdLastSet value to 0
When the pwdLastSet value is to 0 (indicating the password has expired) and the Password never expires option is disabled, you can enforce a password change at the next logon.
When the user changes the password at next logon, the password expiry period is extended by N days as the pwdLastSet attribute is updated to current date and time.
Setting the pwdLastSet value to -1
When the pwdLastSet value is to -1 (indicating the value is not set) and the Password never expires option is disabled, the pwdLastSet attribute is updated to the current time at the user's next logon, thereby extending the password expiry period by N days.
If the pwdLastSet value does not update after setting it to -1, you can first set it to 0 and then update it to -1.
Enabling and disabling Password never expires
First, enable the Password never expires option and set pwdLastSet value to 0.
Then, disable the Password never expires option to update the pwdLastSet attribute to the current time. This effectively extends the password expiry by N days.
Note:
The N days mentioned above will still depend on the password policy settings applied to the user account.
For more information, please refer to this Microsoft Forum discussion.