[Samba] Remove account noexpiry and use PSO again
Kees van Vloten
keesvanvloten at gmail.com
Sun Mar 24 17:13:35 UTC 2024
On 22-03-2024 10:32, Rowland Penny via samba wrote:
> On Thu, 21 Mar 2024 19:50:17 +0100
> Kees van Vloten via samba <samba at lists.samba.org> wrote:
>
>> Hi Team,
>>
>>
>> I am using fine-grained Password Settings Objects (PSOs), set with
>> 'samba-tool domain passwordsettings pso' to determine a.o. password
>> expiry (max. pw. age), they are set on a group.
>>
>> A while ago I have set one user to never expire: 'samba-tool user
>> setexpiry myuser --noexpiry'.
>>
>> How do I remove 'noexpiry' from the user account and let the user
>> follow the PSO on the group again?
>>
>>
>> - Kees.
>>
>>
>>
> When you set 'noexpiry' on an AD user, you are setting the
> 'DONT_EXPIRE_PASSWORD' flag on the users userAccountControl attribute.
>
> To turn this off, obtain the value stored in the users AD object
> userAccountControl attribute, subtract 65536 from that value and then
> replace the existing userAccountControl value with the result.
>
> Rowland
>
Thanks, that did the trick :-)
- Kees.
More information about the samba
mailing list