Problem:

Setting userAccountControl with AD Connector. New in UCS created users get the userAccountControl 544 flag set instead of 512.
Customers expect the same behaviour as it is when creating a user in AD.

Investigation:

The value 544 comes from the fact that we interact with Active Directory through an interface in order to create the user. Through this interface, it is not possible to simply provide a plaintext password, and as far as I know, setting the password happens in a separate step afterward. Since Active Directory allows creating users without a password, these accounts initially receive the UAC value 546 — that is, PASSWD_NOTREQD and ACCOUNTDISABLE added on top of the base value 512. When the user account is enabled, 2 is subtracted again, leaving the final value at 544.

Solution/Workaround:

See Bug 58427 for more information and for workaround
https://github.com/univention/univention-corporate-server/compare/5.2-5...fbest/58427-user-account-control-password-not-required.patch