checking pwdLastSet in AD is not sufficient
When using AD authentication module, pwdLastSet is checked. If pwdLastSet = 0, then password must be changed, but the other side of implication is incorrect.
To really check if password has expired, one must check this simplified rule :
- pwdLastSet == 0 or
- (pwdLastSet + maxPwdAge > today) and (userAccountControl & 0x00010000 == 0)
However, there is one attribute that auto-compute these rules, in a much more complete way : msDS-User-Account-Control-Computed
For full details, please see : https://msdn.microsoft.com/en-us/library/cc223393.aspx
Maybe could we use this attribute to replace the old pwdLastSet check ?