From 915b59a6d5fdf2bb97c5471d1626ccbf52d8293f Mon Sep 17 00:00:00 2001
From: nitzmahone <mdavis@ansible.com>
Date: Sun, 11 Sep 2016 20:41:54 -0700
Subject: [PATCH] Fix win_user issue with disabled accounts/expired passwords

Disabled and password-expired accounts cannot call ValidatePassword successfully

fixed #4369
---
 lib/ansible/modules/windows/win_user.ps1 | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/lib/ansible/modules/windows/win_user.ps1 b/lib/ansible/modules/windows/win_user.ps1
index 0ca11c743af..5eba6ad2a69 100644
--- a/lib/ansible/modules/windows/win_user.ps1
+++ b/lib/ansible/modules/windows/win_user.ps1
@@ -137,8 +137,16 @@ If ($state -eq 'present') {
             [void][system.reflection.assembly]::LoadWithPartialName('System.DirectoryServices.AccountManagement')
             $host_name = [System.Net.Dns]::GetHostName()
             $pc = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext 'Machine', $host_name
-            # ValidateCredentials fails if PasswordExpired == 1
-            If (!$pc.ValidateCredentials($username, $password)) {
+
+            # ValidateCredentials will fail if either of these are true- just force update...
+            If($user_obj.AccountDisabled -or $user_obj.PasswordExpired) {
+                $password_match = $false
+            }
+            Else {
+                $password_match = $pc.ValidateCredentials($username, $password)
+            }
+
+            If (-not $password_match) {
                 $user_obj.SetPassword($password)
                 $result.changed = $true
             }