Active Directory Password Expiration

When viewing a secret based on an Active Directory account template, the Secret View page displays two expiration-related fields:

  • Expiration (Secret Server): The expiration date enforced by Secret Server based on the template or secret-level expiration interval. This controls when Secret Server considers the secret expired and may trigger an automatic password change.
  • Active Directory Expiration: The actual password expiration date as reported by Active Directory for the account associated with the secret. Secret Server retrieves this value from AD using the msDS-UserPasswordExpiryTimeComputed attribute.

These two fields are independent. Active Directory Expiration gives you visibility into the expiration date enforced by AD's own policies, regardless of what is configured in Secret Server. This lets you verify whether your Secret Server rotation schedule aligns with what AD is actually enforcing.

How the Value Is Retrieved

The Active Directory Expiration value is populated by Discovery, not by heartbeat or RPC. Secret Server reads the msDS-UserPasswordExpiryTimeComputed attribute from AD during a Discovery scan (specifically a domain/account scan, not a computer scan). The value displayed on the secret reflects the state of AD at the time of the last completed Discovery scan.

Important: Value does not update in real time

Because the Active Directory Expiration date is only refreshed when a Discovery scan runs, the value on the secret may lag behind the current state of AD. For example:

  • Discovery runs and finds that the AD password expires in 3 days. The secret shows Active Directory Expiration = 3 days.
  • RPC then resets the password on the secret, resetting the AD expiration clock to 45 days.
  • The secret still shows Active Directory Expiration = 3 days until the next Discovery scan completes and updates the value.

To ensure the Active Directory Expiration field reflects the current state of AD, run a Discovery scan after any password change event.

Could Not Be Determined

If the Active Directory Expiration field displays Could not be determined, Secret Server was unable to retrieve the expiration date from AD. Common causes include:

  • A mismatch between the account in the secret and the account found by Discovery.
  • The AD account has not yet been scanned by Discovery.
  • The msDS-UserPasswordExpiryTimeComputed attribute is not accessible due to insufficient Discovery account permissions.
  • The AD password is set to never expire, in which case AD may not populate this attribute.