The "password never expires" option is represented by a BIT/FLAG in
the useraccountcontrol attribute. That same attribute also contains
other bits that represent other options like "account is disabled".
So to delegate the change of the option "password never expires" to a
group (recommended) or user, you need to delegate the change to the
useraccountcontrol attribute (read permission and write permission).
The catch here is that by doing this you also allow the change of the
other BITS/FLAGS and that may be not desired by you.
Cheers,
# Jorge de Almeida Pinto #
----------------------------------------------------------------------
-------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!