Extending the Password expiry of users

Extending the Password expiry of users

ADManager plus uses the LDAP attributes of users and other objects to manage and generate reports. However, the password expiry of users is not a direct LDAP attribute in Active Directory. Instead, it is calculated based on the pwdLastSet attribute and the maximum password age specified in the password policy of the Group Policy Object (GPO) or Password Settings Object (PSO) applied to the user.

We cannot manually set a date in the pwdLastSet attribute as it is only updated by the system or AD. Here are some alternate ways to extend the password expiry of users:

  1. Setting the pwdLastSet value to 0

  • When the pwdLastSet value is to 0 (indicating the password has expired) and the Password never expires option is disabled, you can enforce a password change at the next logon.

  • When the user changes the password at next logon, the password expiry period is extended by N days as the pwdLastSet attribute is updated to current date and time.

  1. Setting the pwdLastSet value to -1

  • When the pwdLastSet value is to -1 (indicating the value is not set) and the Password never expires option is disabled, the pwdLastSet attribute is updated to the current time at the user's next logon, thereby extending the password expiry period by N days.

  • If the pwdLastSet value does not update after setting it to -1, you can first set it to 0 and then update it to -1.

  1. Enabling and disabling Password never expires

  • First, enable the Password never expires option and set pwdLastSet value to 0.

  • Then, disable the Password never expires option to update the pwdLastSet attribute to the current time. This effectively extends the password expiry by N days.

Note:

The N days mentioned above will still depend on the password policy settings applied to the user account.

For more information, please refer to this Microsoft Forum discussion.

                  New to ADSelfService Plus?

                    • Related Articles

                    • Configuring Password Expiry notification via ADManager Plus automations

                      In the latest build of ADManager Plus, we can send notifications to the users whose passwords are expiring soon. To automate this process, follow the below steps. Navigate to ADManager Plus → Automation. Click the Create New Automation button in the ...
                    • While creating Microsoft 365 users, I get "You must choose a strong password" error message

                      Error Message: "You must choose a strong password." occurs while creating Microsoft 365 users. As the admin of an organization, you're responsible for setting the password policy for users in your organization. Setting the password policy can be ...
                    • Enforce Random Password usage

                      Hi , Greetings from ManageEngine team! Thanks for reaching out to us. From your query, I understand that you would like to enforce the technicians to only use the Random Passwords. Please be advised that we will need to adjust two different settings ...
                    • Error: Invalid login name/password

                      Issue description When attempting to log into ADManager Plus as a technician, the system displays the error: Invalid login name/password. Possible causes Incorrect username: The username entered is misspelled or incorrect. Incorrect password: The ...
                    • Password Policy report in ADManager Plus

                      The Password Policy report in ADManager Plus is generated by querying the LDAP attributes of the domain object, such as minPwdAge, maxPwdAge, minPwdLength, pwdHistoryLength, and pwdProperties. These attributes are determined by the Group Policy ...