samba - Mar 2024 - Remove account noexpiry and use PSO again

Hi Team,


I am using fine-grained Password Settings Objects (PSOs), set with 
'samba-tool domain passwordsettings pso' to determine a.o. password 
expiry (max. pw. age), they are set on a group.

A while ago I have set one user to never expire: 'samba-tool user 
setexpiry myuser --noexpiry'.

How do I remove 'noexpiry' from the user account and let the user follow
the PSO on the group again?


- Kees.

On Thu, 21 Mar 2024 19:50:17 +0100
Kees van Vloten via samba <samba at lists.samba.org> wrote:
> Hi Team,
> 
> 
> I am using fine-grained Password Settings Objects (PSOs), set with 
> 'samba-tool domain passwordsettings pso' to determine a.o. password
> expiry (max. pw. age), they are set on a group.
> 
> A while ago I have set one user to never expire: 'samba-tool user 
> setexpiry myuser --noexpiry'.
> 
> How do I remove 'noexpiry' from the user account and let the user
> follow the PSO on the group again?
> 
> 
> - Kees.
> 
> 
> 
When you set 'noexpiry' on an AD user, you are setting the
'DONT_EXPIRE_PASSWORD' flag on the users userAccountControl attribute.

To turn this off, obtain the value stored in the users AD object
userAccountControl attribute, subtract 65536 from that value and then
replace the existing userAccountControl value with the result.

Rowland