passwordMaxAge can be expressed by days. I set it to 60 (days) before and it did work as expected. The only thing that blocks me is when password needs to change. my hope is that upon user being prompted for changing password and doing so, the passwordexpirationtime would be changed accordingly to the time of current + passwordMaxAge but that didn't happen automatically. I have found that I must set passwordmustchange to off and set passwordexpirationtime to 19700101000000Z (time 0). Once that step is done, the next time when user login, the passwordexpirationtime would be set to new and correct time.
That would mean every user changing password would need administrative intervention. That seems not right. What would be a better way to handle passwordexpirationtime?