Yes once the user is created and the password set, change
the UAC to 512.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 17, 2006 1:24 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] userAccountControl 544 D*mn
I’m glad you can understand my gibberish. I reread that post and came up
with a ‘what the h*//???’ In
the circumstance w/ ADSI, what would be the proper routine to follow?
After the user is created and the password set, do you change the value of 544
back to 512? I’ve
noticed the same about 544. The user doesn’t appear to have sufficient
rights to reset their password to a blank password. The administrator (or
someone with full control on the object – have not verified what permissions
exactly) can set their password to null all day long. That’s kind of
dismaying. Also,
544 doesn’t go back to 512 after the user password has changed so it’s kind of
subject to always holding the capacity for a blank password. Don’t really
like that either… Thanks
for the information, as always. I picked up your book, by the way.
Fun read. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of joe Depends
on how the user is created. If using ADSI, you cannot specify a password while
creating the user so if you have a password length policy then you have to
create the account disabled or set to allow a blank password or both.
With the
raw LDAP API (and I would expect S.DS.Protocols), you can create an enabled user
because you can specify the password in the ADD op. You can do that with admod
if you like. Note
that an account set with 544 doesn't necessarily have a blank password, but it
could be. -- O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of [EMAIL PROTECTED] I think I’ve
figured it out. J Thanks
all. :m:dsm:cci:mvp |
marcusoh.blogspot.com From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Oh, Marcus (CCI-Atlanta) Trying to understand this
value. Seeing it set on some of my user objects. So … 512 would be a
normal user but 32 means that no password is required. When a new user
object is created, my understanding (by reading quite a few threads) is that 544
is the default uac. Does this sound
right? Is there a
point when something doesn’t need to listen to domain policy? It should
fail to meet standards by the password length… now, I’m not sure how I
can verify the actual
password is set to nothing. One on particular account, I’ve tried logging
in with a blank password but get a bad password failure. Thanks
all! |
Title: userAccountControl 544
- [ActiveDir] userAccountControl 544 Marcus.Oh
- RE: [ActiveDir] userAccountControl 544 Marcus.Oh
- RE: [ActiveDir] userAccountControl 544 joe
- RE: [ActiveDir] userAccountControl 544 Marcus.Oh
- Re: [ActiveDir] userAccountControl 544 Paul Williams
- RE: [ActiveDir] userAccountControl 544 joe
- Re: [ActiveDir] userAccountControl 544 Michael B Allen