Ticket #47492 - PassSync removes User must change password flag on the Windows side
Bug description: Windows Sync sends password modify even if it is
from PassSync originated on AD. The modify updates the pwdLastSet
attribute value to non-zero value. The value 0 indicates the pass-
word must change at next logon on AD.
Fix description: Before sending the password modify, check whether
the current pwdLastSet value is 0 or not. If it is 0 (means the
password must change), reset pwdLastSet value to 0 along with the
password modify. This operation replaces the password on AD, but
the password still must change at next logon.
Note: If "password must change at next logon" on the both DS and AD,
the password needs to be changed by the user on the both servers to
enable it on each.
https://fedorahosted.org/389/ticket/47492
Reviewed by Rich (Thank you!!)