When running a Policy Server with Advanced Password Services, the APS Max Inactivity is calculated on "Previous Login" instead of "Last Login".

Is it possible to suspend users after 366 days of inactivity from the last login, not the penultimate one?

At first glance, according to documentation, the Max Inactivity can be set up to 365 (1). And out of the box, it's measured between 2 logins, which means that a login attempt will trigger it. And the Max Inactivity is based on the penultimate one.

As per documentation, APSExpire is optional and it should be programmed to run at a specific frequency (1).

From the documentation, APSExpire looks at smapsNextAction which is older than the current date and time (2).

When the smapsNextAction becomes before the current time, then APSExpire should determine if the account should be locked or not according to the smapsLastLogin (proactive) (2).

(1)

  Max Inactivity
  

(2)

  APSExpire Utility