I have an app where all the users rdp to a server which can only run this app. They connect generically, and the app takes their user name and password from the login form and validates that the user name and password are accurate, and then verifies they are in the AD group that has rights to the app.

The LDAP object has many properties and methods, but there is one thing I cannot find anywhere, which is how to tell proactively that a user has "must change password on next login" set. This occurs most often with newly added users to the AD.

I can tell password expirations, login dates, I can evet _set_ the must change flag, but I need to read it initially or else my login form uses their one login without letting them change the password!

No error is returned when logging in programatically when the must change flag is set, I have compared LDAP objects from a user with and without the flag set and I do not see any difference. There is an MS article saying you can get password expiration status, but that is different than the must change flag.

Anyone know how to do this?