Some of those flags mark things like: the account is disabled, the account is locked out, and the password is expired. So, setting userAccountControl to the normal account value unsets those bits, but also unsets unrelated bits. Maybe change_password should just unset those three flags?
I was thinking about writing a method to set all these various flags, and perhaps adding an optional hash of flags to the change_password method.
Do you know why userAccountControl is being set to NORMAL_ACCOUNT in change_password? Can't we just leave it at whatever value it already is?
In our ActiveDirectory, the UAC_NORMAL_USER value is insufficient. We also need a higher bit set to flag that the password doesn't expire.
This page has all the possible values for userAccountControl: http://msdn.microsoft.com/en-us/library/windows/desktop/ms680832(v=vs.85).aspx
Some of those flags mark things like: the account is disabled, the account is locked out, and the password is expired. So, setting userAccountControl to the normal account value unsets those bits, but also unsets unrelated bits. Maybe change_password should just unset those three flags?
I was thinking about writing a method to set all these various flags, and perhaps adding an optional hash of flags to the change_password method.
Your guidance on this would be appreciated.
Thanks,
Michael Gee