3.1.5.14.4 PasswordMustChange Generation
The PasswordMustChange value is computed as follows:
If the userAccountControl attribute value on the target user object contains any of the following bits: UF_DONT_EXPIRE_PASSWD, UF_SMARTCARD_REQUIRED, UF_INTERDOMAIN_TRUST_ACCOUNT, UF_WORKSTATION_TRUST_ACCOUNT, or UF_SERVER_TRUST_ACCOUNT, the PasswordMustChange value MUST be 0x7FFFFFFF FFFFFFFF.
Else, if the pwdLastSet attribute value on the user object is 0, the PasswordMustChange value MUST be 0.
Else, if the Effective-MaximumPasswordAge attribute value (see section 3.1.1.5) is 0, the PasswordMustChange value MUST be 0x7FFFFFFF FFFFFFFF.
Otherwise, the PasswordMustChange value MUST be the pwdLastSet attribute value on the user object plus the Effective-MaximumPasswordAge attribute value (see section 3.1.1.5).