If you mean you want to check the useraccountcontrol values for all DCs in
one fell swoop, I can help with that. If you mean you want to check the
useraccountcontrol value for one (or all) DC on ever DC in the forest in one
fell swoop, you need to wrap adfind into a script.
Adfind will only talk to one DC at a time for you, you specify the DC via
the -h option or let it find one to talk to through the standard mechanisms.
In order to check the first item, the following query would work (all one
line)
adfind -h dc_to_query -gc -b "" -bit -f
"&(objectcategory=computer)(useraccountcontrol:AND:=8192)"
useraccountcontrol -samdc
joe
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Thursday, May 19, 2005 8:48 AM
To: [email protected]
Subject: RE: [ActiveDir] "UF_PASSWD_NOTREQD" on domain controller?
Hi joe!
Thanks for the reply. It makes me ask a somewhat related question about
adfind. If I want to check the "useraccountcontrol" value against all of
the domain controllers in my enterprise in one swoop, is there a correct
combination of "-b" "-s" parameters that I could use to have adfind search
all the way through AD to include both the root domain controllers and the
child domain controllers? (I think I can filter on
"iscriticalsystemobject=TRUE") to pick out the DCs.) Or do I need to query
for a list of Enterprise DCs and then feed that into an adfind loop?
Thanks!
Mike Thommes
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, May 17, 2005 8:16 PM
To: [email protected]
Subject: RE: [ActiveDir] "UF_PASSWD_NOTREQD" on domain controller?
Having UF_PASSWD_NOTREQD wouldn't break anything but would be unusualy for a
DC I think. Usually you find that on accounts precreated by ADUC. For some
reason it doesn't clear the flag after the account is created, I actually
filed that as a bug with MS a long time ago because netdom doesn't do it.
You can use any LDAP tool to verify the setting but I find ADFIND to be the
easiest. I would hit every DC in the domain just to be sure they all agree.
adfind -h dc -default -f "&(objectcategory=computer)(name=dc_to_check)"
useraccountcontrol -samdc
The -samdc will decode the useraccountcontrol to simple mnemonics like
below.
F:\temp>adfind -default -f "&(objectcategory=computer)(name=2k3dc01)"
useraccountcontrol -samdc
AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005
Using server: 2k3dc01.joe.com
Directory: Windows Server 2003
Base DN: DC=joe,DC=com
dn:CN=2K3DC01,OU=Domain Controllers,DC=joe,DC=com
>userAccountControl: 532480 [DC(8192);TRUST_DELEG(524288)]
1 Objects returned
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Tuesday, May 17, 2005 6:58 AM
To: [email protected]
Subject: [ActiveDir] "UF_PASSWD_NOTREQD" on domain controller?
Hi All,
I didn't get any response from my posting below, so I thought I would
try again. I do have additional information on this issue: if I check with
ADSIEdit on the child DC in question, the value is different, 0x82000 (as it
should be), than what is reported in DCDiag. Could this be some bug in the
DCDiag software that was upgraded in SP1?
Original post:
Daily I run a DCDiag report for the domain controllers in my enterprise.
I noticed that after I upgraded my FSMO root domain controller (where I run
the DCDiag report) to W2K3/SP1 from W2K3, I see the following for one of my
child domain controllers:
Warning: Attribute userAccountControl of XXXXX is: 0x82020 = (
UF_PASSWD_NOTREQD | UF_SERVER_TRUST_ACCOUNT | UF_TRUSTED_FOR_DELEGATION
)
Typical setting for a DC is 0x82000 = ( UF_SERVER_TRUST_ACCOUNT
| UF_TRUSTED_FOR_DELEGATION )
This may be affecting replication?
I am not aware of anything changing on the child DC in question. A password
not required for a DC computer account doesn't make much sense.
Googling doesn't appear to produce anything useful. Any thoughts on what
this might mean? Thanks!
Mike Thommes
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
