Hi Everyone,
A few days ago I experienced the following:
I was playing with RID pools, tombstones (deleted objects) en the new "reanimate tombstone API" and the following came to my attention:
Lets say a certain AD environment (W2K3, I think the same happens in W2K) has certain password policy that passwords need to comply with. When trying to create a user with a password that does not comply with the password policy the following happens: the system creates the user with the next RID to be used and after that it checks the password. If the password does not comply, the user with the RID used is deleted (tombtstoned) and the system generates an error stating the password does not comply. Clicking BACK and using a password that complies with the policy creates the user again with the following RID. In this situation TWO RIDs were used to create one user (this of course depends on the incorrect passwords that are used when creating the user)
How to reproduce this:
* Create a user that has never existed before in W2K3 AD with an empty password until the error is generated (do not click OK)
* Check that user that was just created but is disabled (using another instance of DSA.MSC)
* Check the RID value (last value of the SID after the - ) of that user account with LDP
* Click OK on the error within the first instance of DSA.MSC
* Check with LDP the deleted objects container (use MS-KBQ258310: Viewing Deleted Objects in Active Directory) for the first user created and compare the RID value with the previous value
* Correct the password and continu creating the user
* Check the RID value (last value of the SID after the - ) of "new" user account with LDP and check that it was incremented with 1 comparing with the previous RID value
Apparently the system can only check if the password complies with the policy when it is written to the user account AFTER the user is created.
Maybe I'm mistaken, but shouldn't the system FIRST check if the password complies with the policy and if it does, then create the user and write the password to the account. Personally I think this is an unnecessary waste of RIDs within a certain domain.
Do you guys agree with me and should this changed by Microsoft?
Regards,
Jorge
Met vriendelijke groet / Kind regards,
Jorge de Almeida Pinto
Infrastructure Consultant
__________________________________________
<<...OLE_Obj...>>
LogicaCMG Nederland B.V. (BU SD/AT)
Division Industry, Distribution and Transport (ID&T)
Kennedyplein 248, 5611 ZT, Eindhoven
. Postbus 7089
5605 JB Eindhoven
( Tel : +31-(0)40-2957777
2 Fax : +31-(0)40-2957709
( Mobile : +31-(0)6-29067977
* E-mail : [EMAIL PROTECTED]
" <http://www.logicacmg.com/> - Solutions that matter -
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
