On Thu, Jun 6, 2013 at 11:28 AM, Christopher Bodnar <[email protected]> wrote: > > Figured it out: > > Exported just one user, and started eliminating attributes one by one. Found > that I had to remove these 2 attributes to get it to work. : > > userAccountControl:
I think UAC is computed from the settings for the individual components (i.e., "Password Never Expires", "Account Disabled", etc). So I imagine the values for UAC will be re-computed when the account is accessed? Am I right, or am I just speaking out of an inappropriate orifice? > lastLogonTimestamp: That's filled in by a DC, isn't it? Probably not too useful until the user actually logs in, which in a test domain hasn't actually happened yet (the logon was in the production domain). > And I think userAccountControl would work if I made the password policy the > same as it is in production.
