[Samba] Remove account noexpiry and use PSO again
Rowland Penny
rpenny at samba.org
Fri Mar 22 09:32:27 UTC 2024
On Thu, 21 Mar 2024 19:50:17 +0100
Kees van Vloten via samba <samba at lists.samba.org> wrote:
> Hi Team,
>
>
> I am using fine-grained Password Settings Objects (PSOs), set with
> 'samba-tool domain passwordsettings pso' to determine a.o. password
> expiry (max. pw. age), they are set on a group.
>
> A while ago I have set one user to never expire: 'samba-tool user
> setexpiry myuser --noexpiry'.
>
> How do I remove 'noexpiry' from the user account and let the user
> follow the PSO on the group again?
>
>
> - Kees.
>
>
>
When you set 'noexpiry' on an AD user, you are setting the
'DONT_EXPIRE_PASSWORD' flag on the users userAccountControl attribute.
To turn this off, obtain the value stored in the users AD object
userAccountControl attribute, subtract 65536 from that value and then
replace the existing userAccountControl value with the result.
Rowland
More information about the samba
mailing list