+ /* As per MS-SAMR 3.1.1.8.10 these flags have not to be set */
+ if ((user_account_control & UF_LOCKOUT) != 0) {
+ /* "lockoutTime" reset as per MS-SAMR 3.1.1.8.10 */
+ uint64_t lockout_time = ldb_msg_find_attr_as_uint64(res->msgs[0],
+ "lockoutTime",
+ 0);
+ if (lockout_time != 0) {
+ ldb_msg_remove_attr(ac->msg, "lockoutTime");
+ ret = samdb_msg_add_uint64(ldb, ac->msg, ac->msg,
+ "lockoutTime", (NTTIME)0);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ el = ldb_msg_find_element(ac->msg, "lockoutTime");
+ el->flags = LDB_FLAG_MOD_REPLACE;
+ }
+
+ user_account_control &= ~UF_LOCKOUT;
+ uac_generated = true;
+ }
+ if ((user_account_control & UF_PASSWORD_EXPIRED) != 0) {
+ /* "pwdLastSet" reset as password expiration has been forced */
+ ldb_msg_remove_attr(ac->msg, "pwdLastSet");
+ ret = samdb_msg_add_uint64(ldb, ac->msg, ac->msg, "pwdLastSet",
+ (NTTIME)0);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ el = ldb_msg_find_element(ac->msg, "pwdLastSet");
+ el->flags = LDB_FLAG_MOD_REPLACE;
+
+ user_account_control &= ~UF_PASSWORD_EXPIRED;
+ uac_generated = true;
+ }
+