A strage user case appeared and so far I have no good solution to this.

When Active Directory driver queries a certain user object from Active
Directory it receives accountExpires with a large value (year 2106).
When I update the value of accountExpires to 0 from idvault to AD via
driver and AD reports a success the next query returns the same value
(converted to epoc). Even after waiting for possible replication delays.

But when I query the same user from the very same controller with LDAP
it shows me 0.

And when I use the AD GUI tools it shows a more reasonable (not 2106)
date but it is greyed out and account is checked to never expire.

The problem is only fixed when I manually set expiration date from AD
GUI user tools and then do an update from idvault. This time query
receives the correct date from AD and driver writes over 0 and it
populates to AD as it should.

A big question remains is that where did the wrong value come from and
why the driver could not update it? Going manually through all of there
is not an option.

Maybe something inherited from older versions of AD? We're using the
latest on this one. Driver update level is around the first quarter of
this year and IDM is 4.5.2 with edir 8.8.8.