AD user flags

RE: AD user flags

Hi Jan,

Based on my understanding, you want to get some password related flags of
certain user.

I think you should use userAccountCont rol property to get these flags
instead of using "msDS-User-Account-Control-Computed".

Also, after you change your user account, it may need a little time to
update the property. So you should re-query the change some time later.

Please apply my suggestion above and let me know if it helps resolve your
problem.

Thank you for your patience and cooperation. If you have any questions or
concerns, please feel free to post it in the group. I am standing by to be
of assistance.

Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

RE: AD user flags

Hi Jan,

Based on my understanding, you want to get some password related flags of
certain user.

I think you should use userAccountCont rol property to get these flags
instead of using "msDS-User-Account-Control-Computed".

Also, after you change your user account, it may need a little time to
update the property. So you should re-query the change some time later.

Please apply my suggestion above and let me know if it helps resolve your
problem.

Thank you for your patience and cooperation. If you have any questions or
concerns, please feel free to post it in the group. I am standing by to be
of assistance.

Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

Re: AD user flags

Hi Jeffrey,

Thanks for your reply.

I've now tried to wait for a few hours, and neither the
UF_PASSWD_CANT_ CHANGE (0x0040) bit nor
UF_PASSWORD_EXP IRED (0x800000) bit gets updated in userAccountCont rol.

I'm sure it's not caused by replication delay, as I'm updating and querying
the same DC. And the UF_DONT_EXPIRE_ PASSWD (0x10000) bit gets updated right
away.

For a user that have "User cannot change password" and "Password never
expires" checked, the value I read in userAccountCont rol is 0x10200. I would
expect it to be 0x10240.


Kind regards,
Jan Nielsen

Re: AD user flags

Hi Jeffrey,

Thanks for your reply.

I've now tried to wait for a few hours, and neither the
UF_PASSWD_CANT_ CHANGE (0x0040) bit nor
UF_PASSWORD_EXP IRED (0x800000) bit gets updated in userAccountCont rol.

I'm sure it's not caused by replication delay, as I'm updating and querying
the same DC. And the UF_DONT_EXPIRE_ PASSWD (0x10000) bit gets updated right
away.

For a user that have "User cannot change password" and "Password never
expires" checked, the value I read in userAccountCont rol is 0x10200. I would
expect it to be 0x10240.


Kind regards,
Jan Nielsen

Re: AD user flags

Hi Jan,

Thanks for your feedback.

Have you used ADSI Edit to view the userAccountCont rol property?

I think we should first determine if the problem is due to your C# program
or the other problem.

The DirectoryServic e should will get the same value as you say in ADSI
Edit. So I think you should first test without program:

First view your normal account's userAccountCont rol property, it should be
512, that is UF_NORMAL_ACCOU NT(0x00200). Then, you may use your DC to
change this account's password setting. Then, you should refer the change
again through ADSI Edit.(Remember to refresh it)

If the value only reflects out the UF_DONT_EXPIRE_ PASSWD flag and is the
same result as the program get, it means the problem has nothing to do with
the program, but other setting.

Thank you for your patience and cooperation. Please feel free to feedback.

Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

Re: AD user flags

Hi Jan,

Thanks for your feedback.

Have you used ADSI Edit to view the userAccountCont rol property?

I think we should first determine if the problem is due to your C# program
or the other problem.

The DirectoryServic e should will get the same value as you say in ADSI
Edit. So I think you should first test without program:

First view your normal account's userAccountCont rol property, it should be
512, that is UF_NORMAL_ACCOU NT(0x00200). Then, you may use your DC to
change this account's password setting. Then, you should refer the change
again through ADSI Edit.(Remember to refresh it)

If the value only reflects out the UF_DONT_EXPIRE_ PASSWD flag and is the
same result as the program get, it means the problem has nothing to do with
the program, but other setting.

Thank you for your patience and cooperation. Please feel free to feedback.

Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

Re: AD user flags

Hi Jan,

Have you tried my suggestion to use ADSI Edit to get the result? Is the
flag affected?

Please feel free to feedback, I will help you. Thanks

Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

Re: AD user flags

Hi Jeffrey,



ADSI Edit reports the same values as my C# program.

A user who has a password that does not expire reports 0x10200.

A normal user reports 0x00200.



No other flags, among the ones I'm interested in, seem to affect this value.



Kind regards,
Jan Nielsen

Re: AD user flags

Hi Jan,

Thanks for your feedback.

Because the ADSI Edit gets the same result as C# program, I think the
problem is not the ADSI, it should be the setting of your Active Directory
of your domain setting.

You may consult this issue in microsoft.publi c.win2000.activ e_directory or
microsoft.publi c.win2000.group _policy to fix it.

Once your setting is correct, I think you should get the correct affected
value. Thanks for your understanding.

Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.