One can enable password expiration (aka password maximum age) on a Windows domain.
I'm a little puzzled though about the meaning of that so-called expiration: It looks like the password does not truly expire. Simply, upon first login after "expiration", user must modify his password. In other words, if password expires on Nov 18, one can still log in on Nov 20 (but must then immediately modify his/her password).
The user account is not locked (or any other similar state) upon the date of expiration.
Is this correct? Or did I miss something?