diff --git a/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py b/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py
index 546fdd5c3a..cfec7e021e 100644
--- a/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py
+++ b/management/univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py
@@ -1094,8 +1094,8 @@ def posixSecondsToLocaltimeDate(seconds):
 	return time.strftime("%Y-%m-%d %H:%M:%S", time.localtime(seconds))
 
 
-def posixDaysToDate(days):
-	return time.strftime("%Y-%m-%d", time.gmtime(long(days) * 3600 * 24))
+def posixDaysToLocalDate(days):
+	return time.strftime("%Y-%m-%d", time.localtime(long(days) * 3600 * 24))
 
 
 def sambaWorkstationsMap(workstations):
@@ -1267,22 +1267,23 @@ def unmapShadowExpireToUserexpiry(oldattr):
 	# shadowExpire contains the absolute date to expire the account.
 
 	if 'shadowExpire' in oldattr and len(oldattr['shadowExpire']) > 0:
-		univention.debug.debug(univention.debug.ADMIN, univention.debug.INFO, 'userexpiry: %s' % posixDaysToDate(oldattr['shadowExpire'][0]))
+		univention.debug.debug(univention.debug.ADMIN, univention.debug.INFO, 'userexpiry: %s' % posixDaysToLocalDate(oldattr['shadowExpire'][0]))
 		if oldattr['shadowExpire'][0] != '1':
-			return posixDaysToDate(oldattr['shadowExpire'][0])
+			return posixDaysToLocalDate(oldattr['shadowExpire'][0])
 
 
 def unmapKrb5ValidEndToUserexpiry(oldattr):
 	if 'krb5ValidEnd' in oldattr:
 		krb5validend = oldattr['krb5ValidEnd'][0]
 		univention.debug.debug(univention.debug.ADMIN, univention.debug.INFO, 'krb5validend is: %s' % krb5validend)
-		return "%s-%s-%s" % (krb5validend[0:4], krb5validend[4:6], krb5validend[6:8])
+		userexpiry_epoch = calendar.timegm(time.strptime(krb5validend, '%Y%m%d%H%M%SZ'))
+		return time.strftime("%Y-%m-%d", time.localtime(userexpiry_epoch))
 
 
 def unmapSambaKickoffTimeToUserexpiry(oldattr):
 	if 'sambaKickoffTime' in oldattr:
 		univention.debug.debug(univention.debug.ADMIN, univention.debug.INFO, 'sambaKickoffTime is: %s' % oldattr['sambaKickoffTime'][0])
-		return time.strftime("%Y-%m-%d", time.gmtime(long(oldattr['sambaKickoffTime'][0]) + (3600 * 24)))
+		return time.strftime("%Y-%m-%d", time.localtime(long(oldattr['sambaKickoffTime'][0]) + (3600 * 24)))
 
 
 def unmapPasswordExpiry(oldattr):
@@ -1293,7 +1294,7 @@ def unmapPasswordExpiry(oldattr):
 			shadow_last_change = int(oldattr['shadowLastChange'][0])
 		except ValueError:
 			univention.debug.debug(univention.debug.ADMIN, univention.debug.WARN, 'users/user: failed to calculate password expiration correctly, use only shadowMax instead')
-		return posixDaysToDate(shadow_last_change + shadow_max)
+		return posixDaysToLocalDate(shadow_last_change + shadow_max)
 
 
 def unmapDisabled(oldattr):
@@ -2048,7 +2049,7 @@ class object(univention.admin.handlers.simpleLdap):
 			return ml
 
 		krb_keys = univention.admin.password.krb5_asn1(self.krb5_principal(), self['password'])
-		krb_key_version = str(int(self.oldattr.get('krb5KeyVersionNumber', ['0'])[0]) + 1)
+		krb_key_version = str(int(self.oldattr.get('krb5KeyVersionNumber', ['0'])[0]))
 		ml.append(('krb5Key', self.oldattr.get('krb5Key', []), krb_keys))
 		ml.append(('krb5KeyVersionNumber', self.oldattr.get('krb5KeyVersionNumber', []), krb_key_version))
 		return ml
@@ -2193,7 +2194,8 @@ class object(univention.admin.handlers.simpleLdap):
 		if self.hasChanged('userexpiry'):
 			krb5ValidEnd = ''
 			if self['userexpiry']:
-				krb5ValidEnd = "%s%s%s000000Z" % (self['userexpiry'][0:4], self['userexpiry'][5:7], self['userexpiry'][8:10])
+				userexpiry_epoch = time.mktime(time.strptime(self['userexpiry'], "%Y-%m-%d"))
+				krb5ValidEnd = time.strftime("%Y%m%d000000Z", time.gmtime(userexpiry_epoch))
 				univention.debug.debug(univention.debug.ADMIN, univention.debug.INFO, 'krb5ValidEnd: %s' % krb5ValidEnd)
 			old_krb5ValidEnd = self.oldattr.get('krb5ValidEnd', '')
 			if old_krb5ValidEnd != krb5ValidEnd:
@@ -2208,7 +2210,7 @@ class object(univention.admin.handlers.simpleLdap):
 			if self['disabled'] == '1' and self.hasChanged('disabled') and not self.hasChanged('userexpiry'):
 				shadowExpire = '1'
 			elif self['userexpiry']:
-				shadowExpire = "%d" % long(time.mktime(time.strptime(self['userexpiry'], "%Y-%m-%d")) / 3600 / 24 + 1)
+				shadowExpire = "%d" % long(time.mktime(time.strptime(self['userexpiry'], "%Y-%m-%d")) / 3600 / 24)
 			elif self['disabled'] == '1':
 				shadowExpire = '1'
 			else:
diff --git a/services/univention-s4-connector/modules/univention/s4connector/s4/__init__.py b/services/univention-s4-connector/modules/univention/s4connector/s4/__init__.py
index dcbc203ed7..1c6fc15ce9 100644
--- a/services/univention-s4-connector/modules/univention/s4connector/s4/__init__.py
+++ b/services/univention-s4-connector/modules/univention/s4connector/s4/__init__.py
@@ -215,19 +215,19 @@ def encode_s4_resultlist(s4_resultlist):
 	return s4_resultlist
 
 
-def unix2s4_time(l):
+def userexpiry2accountExpires(l):
 	d = 116444736000000000L  # difference between 1601 and 1970
-	return long(time.mktime(time.gmtime(time.mktime(time.strptime(l, "%Y-%m-%d")) + 90000))) * 10000000 + d  # 90000s are one day and one hour
+	return long(time.mktime(time.strptime(l, "%Y-%m-%d")) - 86400) * 10000000 + d  # 86400s is one day
 
 
-def s42unix_time(l):
+def accountExpires2userexpiry(l):
 	d = 116444736000000000L  # difference between 1601 and 1970
-	return time.strftime("%d.%m.%y", time.gmtime((l - d) / 10000000))
+	return time.strftime("%Y-%m-%d", time.localtime((l - d) / 10000000) + 86400)
 
 
 def samba2s4_time(l):
 	d = 116444736000000000L  # difference between 1601 and 1970
-	return long(time.mktime(time.localtime(l))) * 10000000 + d
+	return long(l) * 10000000 + d
 
 
 def s42samba_time(l):
@@ -2129,9 +2129,10 @@ class s4(univention.s4connector.ucs):
 				modlist.append((ldap.MOD_REPLACE, 'accountExpires', ['9223372036854775807']))
 		else:
 			# ucs account expired
-			if 'accountExpires' in ldap_object_s4 and ldap_object_s4['accountExpires'][0] != unix2s4_time(ucs_admin_object['userexpiry']):
+			accountExpires_ucs = userexpiry2accountExpires(ucs_admin_object['userexpiry'])
+			if 'accountExpires' in ldap_object_s4 and ldap_object_s4['accountExpires'][0] != accountExpires_ucs:
 				# s4 account not expired -> change
-				modlist.append((ldap.MOD_REPLACE, 'accountExpires', [str(unix2s4_time(ucs_admin_object['userexpiry']))]))
+				modlist.append((ldap.MOD_REPLACE, 'accountExpires', [str(accountExpires_ucs)]))
 
 		if modlist:
 			ud.debug(ud.LDAP, ud.ALL, "disable_user_from_ucs: modlist: %s" % modlist)
@@ -2171,9 +2172,10 @@ class s4(univention.s4connector.ucs):
 			# s4 account expired
 			ud.debug(ud.LDAP, ud.INFO, "sync account_expire:      s4time: %s    unixtime: %s" % (long(ldap_object_s4['accountExpires'][0]), ucs_admin_object['userexpiry']))
 
-			if s42unix_time(long(ldap_object_s4['accountExpires'][0])) != ucs_admin_object['userexpiry']:
+			userexpiry_s4 = accountExpires2userexpiry(long(ldap_object_s4['accountExpires'][0]))
+			if userexpiry_s4 != ucs_admin_object['userexpiry']:
 				# ucs account not expired -> change
-				ucs_admin_object['userexpiry'] = s42unix_time(long(ldap_object_s4['accountExpires'][0]))
+				ucs_admin_object['userexpiry'] = userexpiry_s4
 				modified = 1
 
 		if modified: