We've got a domain with a 60 day password expiration policy. An audit uncovered the following condition with a group of accounts and I'm having a hard time coming up with an explanation. (Names have been changed to protect the innocent)
| samaccountname | pwdlastset | lastlogontimestamp |
| User1 | 2018/03/19-09:14:43 Eastern Daylight Time | 2018/08/04-02:33:51 Eastern Daylight Time |
| User2 | 2018/05/21-09:01:16 Eastern Daylight Time | 2018/08/04-02:22:59 Eastern Daylight Time |
| User3 | 2018/05/03-15:33:24 Eastern Daylight Time | 2018/08/04-02:46:49 Eastern Daylight Time |
| User4 | 2018/05/31-14:58:10 Eastern Daylight Time | 2018/08/04-02:44:31 Eastern Daylight Time |
| User5 | 2018/05/11-08:07:12 Eastern Daylight Time | 2018/08/04-02:48:29 Eastern Daylight Time |
Lastlogontimestamp can have a variance of up to 14 days, but even taking that into account, if these users did indeed attempt to login at 2am on 8/4 (even + or - 14 days), they would have been forced to update their password, which would have then updated pwdlastset.
None of the accounts have the password set to never expire. The last modified date on all of these accounts is also within a few minutes of 2am on 8/14.
Any thoughts on how a condition like this can exist? It doesn't make sense to me the way I understand the rules.
Thanks!