Along with what Justin mentioned above, I believe if the requirement is to keep user account(s) suspended for more than a year (in this case e.g. 15 years as noted above), other option would be to 'lock' the account with setting the rule of 'set
password-allow-locking = true;' along with manually setting 'dxPwdLocked' operational attribute to 'true'.
see "Administrative lock (Active -> Locked)" section in KB article TEC404484 for a quick reference. For more on this, you can also visit the online docops documentation.