Yep.
 
Accounts flagged to change their password on next logon are indicated by pwdLastSet being set to 0. Much easier to search for that than that useraccountcontrol flag. I actually MS pulls them all out of that thing. Bit flags are a pain in the butt with LDAP.
 
Locked Out accounts are maintained in lockoutTime but it is kind of involved on how to really check it. I suggest unlock.exe for checking - www.joeware.net on the free win32 tools page. Recipe 6.9 in Robbie's book. ;o)
 
Note that pwdLastSet will not go to 0 when a password expires. That becomes an issue with decoding the value of the attribute and comparing to the domain policy like with lockouts.
 
 
  joe
 


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Allen
Sent: Thursday, December 04, 2003 11:49 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] UserAccountControl Bitwise question

The problem is the KB article, not you Mark. The userAccountControl attribute isn't updated when the password expires.  Same for the lockout flag.
 
Regards.
Robbie Allen


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Thursday, December 04, 2003 4:44 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] UserAccountControl Bitwise question

Yeah, I guess that’s probably right, just like disabling an account is 512 + 2 = 514.

 

Still, if anyone knows why it wouldn’t be changing when the password is expired…

 

<mc>

-----Original Message-----
From: Mulnick, Al [mailto:[EMAIL PROTECTED]
Sent: Thursday, December 04, 2003 4:35 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] UserAccountControl Bitwise question

 

Shouldn't that be changed to 8389120 instead (512 + 8388608)?

 


From: Creamer, Mark [mailto:[EMAIL PROTECTED]
Sent: Thursday, December 04, 2003 4:22 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] UserAccountControl Bitwise question

I thought flagging an account to require password change would change the UserAccountControl attribute from 512 to 8388608  (0x800000). (per article KB 305144) But it's not happening. Accounts that are flagged for that are still 512. Am I misunderstanding something? likely J

 

Mark Creamer

Systems Engineer

Cintas Corporation

Honesty and Integrity in Everything We Do

 

Reply via email to