Without getting into the politics involved that got us here, suffice it to say that someone with a lot of political clout, no Windows or Active Directory experience (though considerable MAC/OS X experience), and a PhD at the end of their name, made a decision to deploy openLDAP and Active Directory would be fed with information through a connector written specifically for that purpose.
For the most part this works well. We have developed a web page that allows users to change passwords, incorporated various (homegrown) connectors to provide for single sign-on to most services, network drives, etc., all platform independent, allowing users to freely move from Windows (~85% total number of systems) to MAC OS-X systems (~15% total number of systems) using the same set of credentials. One of the few areas where issues have arisen is in the changing of a users status. I have told them to modify userAccountControl, the programmers (connector is written in oCamel so there is a separate group that handles this) have decided that msDs-User-Account-Control-Computed is the correct attribute to use in order to enable, disable, lock, unlock, etc. a user account. Can someone from this group tell me the differences between these attributes and which would be the correct one to use for the stated purposes? David Aragon List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
