I am updating one of our password policies to no longer expire passwords. Currently it is set at 365 days. So, all of the users already assigned to this policy have a passwordExpirationTime 365 days beyond their pwdChangedTime.
I was trying to avoid clearing out all of the passwordExpirationTime attributes, but I keep running into additional changes I need to support not doing it. For example, in SSPR i have change the following so a user logging in isn't forced to change their password when it is not really expired:
Modules -> Authenticated -> Change Password -> Set "Check Expire During Authentication" to disabled
Modules -> Authenticated -> Change Password -> Set "Check Expire Warn Time" to disabled
I have some other workarounds in the drivers that process the passwordExpirationTime and expire the password in source is AD, but I'm starting to think I should just clear out the passwordExpiration time.
Any thoughts or gothcas? While i'm there, are there any other attributes I should clear out like passwordExpirationInterval?