What is the implementation principle behind the 'Password Never Expires' attribute for domain users?

The attribute is stored in the `userAccountControl` field of a domain user object, represented numerically. The specific value for 'Password Never Expires' is 65536 (DONT_EXPIRE_PASSWORD). To enable it, you perform a bitwise OR with 65536 on the current `userAccountControl` value; to remove it, you use a bitwise XOR. Checking for the attribute requires a bitwise AND with 65536. This principle is central to enumerating and manipulating the attribute in domain penetration testing, as detailed in Penetration Basics - The Password Never Expires Attribute for Domain Users.