Hi,

[koushiksuripeddi]

I am unable to enable the user must change password at next logon option. Tried with below but no luck. Is there any other option available to enable this?

conn.modify(dn, {'pwdLastSet': [(MODIFY_REPLACE, ['0'])]})

conn.modify(dn, {'pwdLastSet': [(MODIFY_REPLACE, ['-1'])]})

[Zamanry]

Are you trying to update this in Active Directory? If so, you need to modify the User-Account-Control attribute as a whole instead.

[koushiksuripeddi]

I am trying to change the password along with the option as user must change password at next logon enabled. Can you help me here please

[Zamanry]

I would encourage you to read up on the Windows userAccountControl (i.e., User-Account-Control) attribute, not to be confused with User Account Control (UAC) security mechanism (e.g., UAC bypass). You will need to modify the User-Account-Control attribute itself to accomplish your task of forcing change on next logon. Here are couple resources:

• Explanation: https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/useraccountcontrol-manipulate-account-properties
• Visualizer: https://www.techjutsu.ca/uac-decoder

My company has as a tool that decodes User-Account-Control. but does not actually encode the attribute itself. The code isn't great, but it may help you start to picture the end goal. See the reference here:

• https://github.com/CroweCybersecurity/ad-ldap-enum/blob/60bc5bb111e2708d4bc2157f9ae3d5e0d06ece75/ad-ldap-enum.py#L79

The ldap3 library is only meant to help with LDAP communication and the request/response data structuring. It's on us as the users to take the LDAP data and manipulate it as we need. Therefore, this library will not be able to easily accomplish your task with a function, etc. Best of luck!