How to force user to change password at next logon with ldap3 python module?

Question

I'm using ldap3 to create a user account in Active Directory (Win 2012R2) with python script. The only one attribute I can't set is "User must change password at next logon". Could you suggest a way to get this checkbox marked right after using creation? I tried to change UserAccountControl and pwdLastSet attributes but no luck(

-1 is the only one valid parameter

password_expire = {"pwdLastSet": (MODIFY_REPLACE, [-1])}
connect.modify(dn=user_dn, changes=password_expire)

PASSWORD_EXPIRED 0x800000 8388608

password_expire = {"UserAccountControl": (MODIFY_REPLACE, [8388608])}
connect.modify(dn=user_dn, changes=password_expire)

Answer 1

NOTE : Solution given below would, probably , only work after the upcoming version release (v2.5) of LDAP3 library. Currently, I'm not aware of the workarounds which would provide the desired solution to OP.

Check the changelog here which lists:

For the release v2.5, pwdLAstSet in AD is valid for 0 and -1.

_{---It has not been released for now, and just commented (thanks to Anton Belov for notifying).}

---

If the value of pwdLastSet is set to 0, and UAC attribute doesn't contain the flag UF_DONT_EXPIRE_PASSWD , users would be asked to change password at next logon. Check aboutPwd-Last-Set attribute here on MSDN for more information.

Modifying your code as suggested above will show you the tick mark in the checkbox of the user's account for changing the password.

Use only your first code, and set the value to 0 as commented below.

password_expire = {"pwdLastSet": (MODIFY_REPLACE, [-1])}  # // use 0 instead of -1.
connect.modify(dn=user_dn, changes=password_expire)
# // you don't need to play with UserAccountControl further...