Using Active Directory domain password policies with macOS
At bind time (and at periodic intervals thereafter), macOS queries the Active Directory domain for the password policies. These policies are enforced for all network and mobile accounts on a Mac.
During a login attempt while the network accounts are available, macOS queries Active Directory to determine the length of time before a password change is required. By default, if a password change is required within 14 days, the login window asks the user to change it. If the user changes the password, the change occurs in Active Directory as well as in the mobile account (if one is configured), and the login keychain password is updated. If the user dismisses the password request, the login window asks the user until the day before expiration. The user must change the password within 24 hours for login to proceed. A macOS administrator can change the default expiration notification for the login window from the command line by typing
defaults write /Library/Preferences/com.apple.loginwindow PasswordExpirationDays -int <number of days>.
Note: macOS doesn’t support fine-grained password policies using Active Directory’s Password Settings Object (PSO). Only the default domain policy is used when calculating password expiration.