D*mn I’m glad you can understand my gibberish. I reread
that post and came up with a ‘what the h*//???’ In the circumstance w/ ADSI, what would be the proper routine to
follow? After the user is created and the password set, do you change the
value of 544 back to 512? I’ve noticed the same about 544. The user doesn’t
appear to have sufficient rights to reset their password to a blank
password. The administrator (or someone with full control on the object –
have not verified what permissions exactly) can set their password to null all
day long. That’s kind of dismaying. Also, 544 doesn’t go back to 512 after the user password
has changed so it’s kind of subject to always holding the capacity for a
blank password. Don’t really like that either… Thanks for the information, as always. I picked up your
book, by the way. Fun read. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of joe Depends on how the user is created. If using ADSI, you cannot
specify a password while creating the user so if you have a password length
policy then you have to create the account disabled or set to allow a blank
password or both. With the raw LDAP API (and I would expect S.DS.Protocols), you can
create an enabled user because you can specify the password in the ADD op. You
can do that with admod if you like. Note that an account set with 544 doesn't necessarily have a blank
password, but it could be. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] I
think I’ve figured it out. J
Thanks all. :m:dsm:cci:mvp | marcusoh.blogspot.com From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Oh, Marcus (CCI-Atlanta) Trying
to understand
this value. Seeing it set on some of my user objects. So … 512 would be a
normal user but 32 means that no password is required. When a new user
object is created, my understanding (by reading quite a few threads) is that
544 is the default uac. Does this sound right? Is there a
point when something doesn’t need to listen to domain policy? It
should fail to meet standards by the password length… now, I’m not
sure how I can verify the actual password is set to nothing. One on
particular account, I’ve tried logging in with a blank password but get a
bad password failure. Thanks all! |
Title: userAccountControl 544
- [ActiveDir] userAccountControl 544 Marcus.Oh
- RE: [ActiveDir] userAccountControl 544 Marcus.Oh
- RE: [ActiveDir] userAccountControl 544 joe
- RE: [ActiveDir] userAccountControl 544 Marcus.Oh
- Re: [ActiveDir] userAccountControl 544 Michael B Allen