Perhaps your issue is described here:> There are two possible ways to modify the unicodePwd attribute. The > first is similar to a normal user change password operation. In this > case, the modify request must contain both a delete and an add > operation. The delete operation must contain the current password > with quotes around it. The add operation must contain the desired new > password with quotes around it. > > The second way to modify this attribute is analogous to an > administrator resetting a password for a user. In order to do this, > the client must bind as a user with sufficient permissions to modify > another user's password. This modify request should contain a single > replace operation with the new desired password surrounded by quotes. > If the client has sufficient permissions, this password becomes the > new password, regardless of what the old password was.Read more here: https://docs.microsoft.com/en-us/troubleshoot/windows/win32/change-windows-active-directory-user-password MJ
Philippe LeCavalier
2021-Nov-01 14:30 UTC
[Samba] Password policy for user-managed passwords
On Mon, Nov 1, 2021 at 10:10 AM mj via samba <samba at lists.samba.org> wrote:> Perhaps your issue is described here: > > > There are two possible ways to modify the unicodePwd attribute. The > > first is similar to a normal user change password operation. In this > > case, the modify request must contain both a delete and an add > > operation. The delete operation must contain the current password > > with quotes around it. The add operation must contain the desired new > > password with quotes around it. > > > > The second way to modify this attribute is analogous to an > > administrator resetting a password for a user. In order to do this, > > the client must bind as a user with sufficient permissions to modify > > another user's password. This modify request should contain a single > > replace operation with the new desired password surrounded by quotes. > > If the client has sufficient permissions, this password becomes the > > new password, regardless of what the old password was. > > Read more here: > > https://docs.microsoft.com/en-us/troubleshoot/windows/win32/change-windows-active-directory-user-password > > MJ >If that were to be the case a newly created account would experience the same issue but it doesn't. New users can CTRL+ALT+DEL and change their passwords. I wonder if it might have to do with the particular user having the setexpiry to 0? I'll try setting it to 90 and see if she can change it.