nisd.passwd.expired.allow

This configuration parameter specifies whether a user with an expired Active Directory password should be allowed to log on to computers authenticated through NIS requests. The parameter value can be set to true or false.

By default, when a user’s Active Directory password expires the password hash field in the passwd NIS map is replaced by two exclamation marks (!!), and the user is not allowed to log on to the local NIS client computer without first logging on to a Windows computer or an agent-managed computer running adclient to update the expired password. You can use this parameter to allow the user to log on locally using the expired password.

If you set the parameter value to true, users with an existing password hash in the passwd map generated from Active Directory do not have their password hash replaced by the exclamation marks and they can continue to log on using the expired password until they update their password in Active Directory. Once they update their password in Active Directory, in the NIS map is updated with a new password hash and users can log on with the new password. If a user never updates the Active Directory password by logging on to a Windows or agent-managed computer, however, the user’s expired password may be used indefinitely.

The default value for this parameter is false. For example:

nisd.passwd.expired.allow: false