Does the password truly expire?
One can enable password expiration (aka password maximum age) on a Windows domain.
I'm a little puzzled though about the meaning of that so-called expiration: It looks like the password does not truly expire. Simply, upon first login after "expiration", user must modify his password. In other words, if password expires on Nov 18, one can still log in on Nov 20 (but must then immediately modify his/her password).
The user account is not locked (or any other similar state) upon the date of expiration.
Is this correct? Or did I miss something?
Solution 1:
Yes that is true, the user is not actually locked out or disabled once the password expires, the user is simply forced to change their password once they log on after the expiration date.
If you need the user to actually be unable to log in after an expiration date, you can set the user account itself to expire after a certain date. But not in a dynamic way. If you wanted to, say, automatically disable the user account after they have not logged in for over 90 days, you would need to script that with (for instance) Powershell.