Hi joe!
Thanks for the reply. It makes me ask a somewhat related question
about adfind. If I want to check the "useraccountcontrol" value against
all of the domain controllers in my enterprise in one swoop, is there a
correct combination of "-b" "-s" parameters that I could use to have
adfind search all the way through AD to include both the root domain
controllers and the child domain controllers? (I think I can filter on
"iscriticalsystemobject=TRUE") to pick out the DCs.) Or do I need to
query for a list of Enterprise DCs and then feed that into an adfind
loop? Thanks!
Mike Thommes
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, May 17, 2005 8:16 PM
To: [email protected]
Subject: RE: [ActiveDir] "UF_PASSWD_NOTREQD" on domain controller?
Having UF_PASSWD_NOTREQD wouldn't break anything but would be unusualy
for a
DC I think. Usually you find that on accounts precreated by ADUC. For
some
reason it doesn't clear the flag after the account is created, I
actually
filed that as a bug with MS a long time ago because netdom doesn't do
it.
You can use any LDAP tool to verify the setting but I find ADFIND to be
the
easiest. I would hit every DC in the domain just to be sure they all
agree.
adfind -h dc -default -f "&(objectcategory=computer)(name=dc_to_check)"
useraccountcontrol -samdc
The -samdc will decode the useraccountcontrol to simple mnemonics like
below.
F:\temp>adfind -default -f "&(objectcategory=computer)(name=2k3dc01)"
useraccountcontrol -samdc
AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005
Using server: 2k3dc01.joe.com
Directory: Windows Server 2003
Base DN: DC=joe,DC=com
dn:CN=2K3DC01,OU=Domain Controllers,DC=joe,DC=com
>userAccountControl: 532480 [DC(8192);TRUST_DELEG(524288)]
1 Objects returned
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Tuesday, May 17, 2005 6:58 AM
To: [email protected]
Subject: [ActiveDir] "UF_PASSWD_NOTREQD" on domain controller?
Hi All,
I didn't get any response from my posting below, so I thought I
would
try again. I do have additional information on this issue: if I check
with
ADSIEdit on the child DC in question, the value is different, 0x82000
(as it
should be), than what is reported in DCDiag. Could this be some bug in
the
DCDiag software that was upgraded in SP1?
Original post:
Daily I run a DCDiag report for the domain controllers in my enterprise.
I noticed that after I upgraded my FSMO root domain controller (where I
run
the DCDiag report) to W2K3/SP1 from W2K3, I see the following for one of
my
child domain controllers:
Warning: Attribute userAccountControl of XXXXX is: 0x82020 = (
UF_PASSWD_NOTREQD | UF_SERVER_TRUST_ACCOUNT | UF_TRUSTED_FOR_DELEGATION
)
Typical setting for a DC is 0x82000 = ( UF_SERVER_TRUST_ACCOUNT
| UF_TRUSTED_FOR_DELEGATION )
This may be affecting replication?
I am not aware of anything changing on the child DC in question. A
password
not required for a DC computer account doesn't make much sense.
Googling doesn't appear to produce anything useful. Any thoughts on
what
this might mean? Thanks!
Mike Thommes
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
