I am blanking on how to set this on a user create/modify in AD.

I initially thought it was one of the uac bitmask attributes, but nope.

Then I tried pwdLastSet to 0, which seems to expire the password but not
set the tick box.

Am I forgetting something obvious?