Title: userAccountControl 544
Depends on how the user is created. If using ADSI, you cannot specify a password while creating the user so if you have a password length policy then you have to create the account disabled or set to allow a blank password or both.
With the raw LDAP API (and I would expect S.DS.Protocols), you can create an enabled user because you can specify the password in the ADD op. You can do that with admod if you like.
Note that an account set with 544 doesn't necessarily have a blank password, but it could be.
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 

Sent: Monday, October 16, 2006 5:19 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] userAccountControl 544

I think I’ve figured it out.  J  Thanks all.


:m:dsm:cci:mvp | marcusoh.blogspot.com


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oh, Marcus (CCI-Atlanta)
Sent: Monday, October 16, 2006 11:57 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] userAccountControl 544


Trying to understand this value.  Seeing it set on some of my user objects.  So … 512 would be a normal user but 32 means that no password is required.  When a new user object is created, my understanding (by reading quite a few threads) is that 544 is the default uac.  Does this sound right?

Is there a point when something doesn’t need to listen to domain policy?  It should fail to meet standards by the password length… now, I’m not sure how I can verify the actual password is set to nothing.  One on particular account, I’ve tried logging in with a blank password but get a bad password failure.

Thanks all!

Reply via email to