Domain password policies in Active Directory
At bind time (and at periodic intervals thereafter), macOS queries the Active Directory domain for the password policies. These policies are enforced for all network and mobile accounts on a Mac.
During a login attempt while the network accounts are available, macOS queries Active Directory to determine the length of time before a password change is required. By default, a password change is required within 14 days, and the user is asked to log in and create a new password. If the user changes the password, the change occurs in Active Directory as well as in the mobile account (if one is configured), and the login keychain password is updated. If the user dismisses the password request, the request appears until the day before expiration. A password change is required within 24 hours for login to proceed.
A macOS administrator can change the default expiration notification for the login window from the command line by typing the following:
defaults write /Library/Preferences/com.apple.loginwindow PasswordExpirationDays -int <number of days>