AFAIK you can’t change the shell access in AD after the user has been created, you need to do it when creating.
I think it’s a limitation of the AD schema, but I’m not an expert of it (and I don’t want to be 
).
Even with samba-tool you can’t change the flag after creation.