You should be able to import userAccountControl I think. But it probably has to be the last attribute imported.
It is a bit-mapped attribute and contains LOTS of pieces of information. I discuss userAccountControl in detail in this blog post. Yes, it doesn't seem relevant, but when you read it, you will understand why it is. :) http://theessentialexchange.com/blogs/michael/archive/2012/01/17/sending-an-email-to-users-whose-password-is-about-to-expire-a-powershell-rewrite.aspx From: [email protected] [mailto:[email protected]] On Behalf Of Christopher Bodnar Sent: Thursday, June 6, 2013 2:43 PM To: [email protected] Subject: Re: [NTSysADM] LDIFDE question My question is why aren't these attributes documented as not able to import like the others are? Very frustrating thanks Christopher Bodnar Enterprise Architect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 [email protected]<mailto:> [cid:[email protected]] The Guardian Life Insurance Company of America www.guardianlife.com<http://www.guardianlife.com/> From: Michael Leone <[email protected]<mailto:[email protected]>> To: [email protected]<mailto:[email protected]> Date: 06/06/2013 12:44 PM Subject: Re: [NTSysADM] LDIFDE question Sent by: [email protected]<mailto:[email protected]> ________________________________ On Thu, Jun 6, 2013 at 11:28 AM, Christopher Bodnar <[email protected]<mailto:[email protected]>> wrote: > > Figured it out: > > Exported just one user, and started eliminating attributes one by one. Found > that I had to remove these 2 attributes to get it to work. : > > userAccountControl: I think UAC is computed from the settings for the individual components (i.e., "Password Never Expires", "Account Disabled", etc). So I imagine the values for UAC will be re-computed when the account is accessed? Am I right, or am I just speaking out of an inappropriate orifice? > lastLogonTimestamp: That's filled in by a DC, isn't it? Probably not too useful until the user actually logs in, which in a test domain hasn't actually happened yet (the logon was in the production domain). > And I think userAccountControl would work if I made the password policy the > same as it is in production. ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you.
<<inline: image001.jpg>>
