diff --git a/source3/rpc_server/samr/srv_samr_util.c b/source3/rpc_server/samr/srv_samr_util.c
index fa35ce6a5de..ebf8b3127bc 100644
--- a/source3/rpc_server/samr/srv_samr_util.c
+++ b/source3/rpc_server/samr/srv_samr_util.c
@@ -639,24 +639,28 @@ void copy_id21_to_sam_passwd(const char *log_prefix,
 			   for example, to clear an autolocked acct.
 			   We must check to see if it's expired first. jmcd */
 
-			uint32_t pwd_max_age = 0;
 			time_t now = time(NULL);
-
-			pdb_get_account_policy(PDB_POLICY_MAX_PASSWORD_AGE, &pwd_max_age);
-
-			if (pwd_max_age == (uint32_t)-1 || pwd_max_age == 0) {
-				pwd_max_age = get_time_t_max();
-			}
-
-			stored_time = pdb_get_pass_last_set_time(to);
+			bool expired = true;
 
 			/* we will only *set* a pwdlastset date when
 			   a) the last pwdlastset time was 0 (user was forced to
 			      change password).
 			   b) the users password has not expired. gd. */
 
-			if ((stored_time == 0) ||
-			    ((now - stored_time) > pwd_max_age)) {
+			stored_time = pdb_get_pass_last_set_time(to);
+			if (stored_time != 0) {
+				uint32_t pwd_max_age = 0;
+
+				pdb_get_account_policy(PDB_POLICY_MAX_PASSWORD_AGE,
+						       &pwd_max_age);
+				if ((pwd_max_age == (uint32_t)-1) ||
+				    (pwd_max_age == 0) ||
+				    (now <= (stored_time + pwd_max_age))) {
+					expired = false;
+				}
+			}
+
+			if (expired) {
 				pdb_set_pass_last_set_time(to, now, PDB_CHANGED);
 			}
 		}