We basically want to take advantage of 2 attributes, Login Time (which contains the last login time for the user) and Login Expiration Time, which prevent a user from login in once reached.
We want to monitor Login Time, and everytime it changes, update Login Expiration Time by setting it to Login Time + 1 year (or 31 536 000 seconds).
Figure 1: We need to open up the filter for the Null/Loopback driver for Login Time.
Figure 2: Simple rule to update Login Expiration time, using a GCV and XPATH.
Figure 3: GCV set to 1 year(in seconds).
Figure 4: Details for GCV.
Beware that you may want to restrict the scope to non-admin users. You will find the rule attached below for Subscriber Command Transform for the Null or Loopback Driver.
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.