In researching changes to our password policy, I came across the documentation on the pwdLastSet attribute. An admin can only set it to 0 or -1 regardless of the tool you use to edit it (Powershell, ADSI edit, etc.). Out of curiosity, I looked at the attributes of of the attribute itself and I didn't glean anything useful.
How exactly does the domain service know which attributes to enforce in this fasion and how does it know what the valid values are?
Justin Cervero - MS Enterprise Admin - Appalachian State University