Active Directory calculates password expiration by reading the date when a users password was last changed
(using the pwdLastSet attribute) and then reading the password policy (for the domain or AD container, depending on your AD functional level) for the account to determine the maximum password age. These two values are added to determine the password expiration
value. It calculate based on last password reset date & Time and then follow the
below calculation. <o:p></o:p>
password change date + password policy maximum password age =
password expiration date
First become acquainted with the ms-DS-Logon-Time-Sync-Interval attribute. It is an attribute of the domain NC and controls the granularity (in days) with which the
lastLogontimeStamp attribute is updated. The default value is 14 and is set in code. Meaning that if you look at this attribute in
ADSIEDIT.MSC and you see it as "Not Set" don't be alarmed. This just means the system is using the default value of 14.
The lastLogontimeStamp attribute is not updated every time a user or computer logs on to the domain. The decision to update the value is based on the current date minus the value of the (ms-DS-Logon-Time-Sync-Interval attribute minus a
random percentage of 5). If the result is equal to or greater than lastLogontimeStamp the attribute is updated. There are no special considerations for replication of
lastLogontimeStamp. If the attribute is updated it is replicated like any other attribute update. This is not urgent replication
http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx