Unexpire Password extended right permission needed

For SSPR to successfully change a user's password on prem and update the pwdLastSet attribute the extended right "Unexpire Password" (https://docs.microsoft.com/en-us/windows/win32/adschema/r-unexpire-password) is required for the on-prem AD service account.  Otherwise after a user performs SSPR the "User must change password at next login" flag will be set.

Author: jafrittsMSFT

articles/active-directory/authentication/tutorial-enable-sspr-writeback.md

@@ -52,7 +52,7 @@ To correctly work with SSPR writeback, the account specified in Azure AD Connect
 * **Reset password**
 * **Write permissions** on `lockoutTime`
 * **Write permissions** on `pwdLastSet`
-* **Extended rights** on either:
+* **Extended rights** for "Unexpire Password" on either:
    * The root object of *each domain* in that forest
    * The user organizational units (OUs) you want to be in scope for SSPR