I'm using the NT Syncronization Service and plugin with Netscape Directory Server 4.1. Because of various problems that are probably not germane, I'm only synching from the directory to the PDC, NOT the other way round. I'm trying to figure out how I can make use of the ntUserFlags attribute to make changes on the PDC. Is anyone doing this, or does anyone know the details of what kind of values that attribute requires? I've searched high and low for information on what this attribute is supposed to contain, and all I can find is this from the "Iplanet Meta-Directory Configuration and Administration Guide" (this is as-is from the manual, including grammatical and apparent numerical mistakes): ,---- | Provides flags for several purposes. The values are in | decimal and is read-only. Possible values are: | | * 0x0002: Account disabled | | * 0x0010: Account currently locked | | * 0x0020: Password not required | | * 0x0040: User cannot change password | | * 0x10000: Password should never expire | | The following values are not changeable by the connector: | | * 0x0100: Account to access this domain, but not any other | domain it trusts | | * 0x0200: Default account type for the user | | * 0x0800: 'Permit to trust' account for a domain that trusts | other domains | | * 0x1000: Computer account for an NT workstation or server | that is a member of this domain | | * 0x2000: Computer account for the BDC that is a member of | this domain `---- Now, that all makes a certain amount of sense to me. The value is in decimal and made up of those flags, which are represented in the documentation in hexadecimal. So, if I want to set "User cannot change password" (0x0040) and "Account disabled" (0x0002) flags, I'd add those two flags to come up with 0x0042, convert that to decimal, which is 66, and set that: ,---- | dn: uid=test,ou=people,o=org | changetype: modify | replace: ntUserFlags | ntUserFlags: 66 `---- ... only that doesn't work. The change does get accepted in the Directory, however when looking at the user on the PDC, the flags in question are not set. Now, to make matters more confusing, I do have some users who exist from the olden days when we actually tried synching both ways between the Directory and the PDC. So, I have some users who have ntUserFlags set with some value from the PDC -> Directory sync. However, this value doesn't make any sense to me in terms of the above documentation. Firstly, the existing ntUserFlags values are base64 encoded in the directory, which implies that they are non-ASCII data, which they indeed are. Of all the values in the directory, there are 5 distinct values and they are (after base64 decoding): ^A^B^@^@ ^A^B^A^@ A^B^@^@ A^B^A^@ C^B^@^@ Note that all of the characters preceded up there by ^ are actually control characters in real life. They seem to boil down to 5 characters: null, A, C, control A, control B. Now, this seems like progress to me because those seem to be four byte values, and the documentation separates the flags out into four bytes. But, I can't for the life of me figure out how to interpret what's there nor how to make meaningful changes. Does anyone have any experience with this? If not, maybe you're better at math than me: can you figure out what the existing values represent? Thanks in advance for any insight into this. -- Chris Brierley <[EMAIL PROTECTED]>