Having UF_PASSWD_NOTREQD wouldn't break anything but would be unusualy for a DC I think. Usually you find that on accounts precreated by ADUC. For some reason it doesn't clear the flag after the account is created, I actually filed that as a bug with MS a long time ago because netdom doesn't do it.
You can use any LDAP tool to verify the setting but I find ADFIND to be the easiest. I would hit every DC in the domain just to be sure they all agree. adfind -h dc -default -f "&(objectcategory=computer)(name=dc_to_check)" useraccountcontrol -samdc The -samdc will decode the useraccountcontrol to simple mnemonics like below. F:\temp>adfind -default -f "&(objectcategory=computer)(name=2k3dc01)" useraccountcontrol -samdc AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 Using server: 2k3dc01.joe.com Directory: Windows Server 2003 Base DN: DC=joe,DC=com dn:CN=2K3DC01,OU=Domain Controllers,DC=joe,DC=com >userAccountControl: 532480 [DC(8192);TRUST_DELEG(524288)] 1 Objects returned -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, May 17, 2005 6:58 AM To: [email protected] Subject: [ActiveDir] "UF_PASSWD_NOTREQD" on domain controller? Hi All, I didn't get any response from my posting below, so I thought I would try again. I do have additional information on this issue: if I check with ADSIEdit on the child DC in question, the value is different, 0x82000 (as it should be), than what is reported in DCDiag. Could this be some bug in the DCDiag software that was upgraded in SP1? Original post: Daily I run a DCDiag report for the domain controllers in my enterprise. I noticed that after I upgraded my FSMO root domain controller (where I run the DCDiag report) to W2K3/SP1 from W2K3, I see the following for one of my child domain controllers: Warning: Attribute userAccountControl of XXXXX is: 0x82020 = ( UF_PASSWD_NOTREQD | UF_SERVER_TRUST_ACCOUNT | UF_TRUSTED_FOR_DELEGATION ) Typical setting for a DC is 0x82000 = ( UF_SERVER_TRUST_ACCOUNT | UF_TRUSTED_FOR_DELEGATION ) This may be affecting replication? I am not aware of anything changing on the child DC in question. A password not required for a DC computer account doesn't make much sense. Googling doesn't appear to produce anything useful. Any thoughts on what this might mean? Thanks! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
