Thanks in advance, John
There are some flags on userAccountControl in AD that just don't work such
as the lockout flag and this one. They are included for backwards
compatibility with NT4 (which uses the same enum), but the directory
supports those functions in a different way. However, the computed
attribute is supposed to help with that. I'm just not sure if it supports
the "user cannot change password setting.
It may be necessary to check the security descriptor directly.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"JRB" <jo...@jrbsoftware.com> wrote in message
news:1179271327.8...@o5g2000hsb.googlegroups.com...
--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--
"Joe Kaplan" <joseph....@removethis.accenture.com> wrote in message
news:egWLOh9l...@TK2MSFTNGP03.phx.gbl...
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Thanks!
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Joe Richards [MVP]" <humore...@hotmail.com> wrote in message
news:ecNlylLm...@TK2MSFTNGP06.phx.gbl...
John
On May 18, 8:17 am, "Joe Kaplan"
<joseph.e.kap...@removethis.accenture.com> wrote:
> Do you know if that flag is supported in the computed attribute or does the
> computed attribute only support lockout and password expired? I don't have
> a handy way to test it right now.
>
> Thanks!
>
> Joe K.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services Programming"http://www.directoryprogramming.net
> --
> "Joe Richards [MVP]" <humorexpr...@hotmail.com> wrote in messagenews:ecNlylLm...@TK2MSFTNGP06.phx.gbl...
>
>
>
> > ADUC reads the Security Descriptor.
>
> > --
> > Joe Richards Microsoft MVP Windows Server Directory Services
> > Author of O'Reilly Active Directory Third Edition
> >www.joeware.net
>
> > ---O'Reilly Active Directory Third Edition now available---
>
> > http://www.joeware.net/win/ad3e.htm
>
> > Richard Mueller [MVP] wrote:
> >> I have not used the ADS_UF_PASSWD_CANT_CHANGE bit of userAccountControl
> >> because it is unreliable. However, I have configured several users so
> >> they cannot change their password, and none have this bit set. The
> >> documentation says this bit can be read, but I think that is mistaken. I
> >> don't know how ADUC determines this setting. The only way I know is to
> >> read the security descriptor.- Hide quoted text -
>
> - Show quoted text -
It would appear you have to read the DACL. Given that this is what ADUC
does according to Joe R., I'm not surprised.
As usual, the documentation could be a little more helpful here. I'm
ashamed to say that we didn't even remember to cover this setting in ch 10
of our book. I've never been in a situation where I wanted to use that flag
and just never thought about it. Oh well. This has been a good education
for me.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"JRB" <jo...@jrbsoftware.com> wrote in message
news:1179438482.7...@o5g2000hsb.googlegroups.com...
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
I am actually trying to visualize ANY constructed attributes that would
have delay. I can't think of one off the top of my head, they should all
updated immediately. There are things like universal group caching etc
that will have a delay but they aren't constructed attributed based on
immediate DS relationships, it is info being synced from one DC to
another through a special process.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Joe Richards [MVP]" <humore...@hotmail.com> wrote in message
news:uBCCpEPm...@TK2MSFTNGP02.phx.gbl...
Re my comments on delayed updates - I just remembered what it was that
inspired that comment. I had my wires crossed a little, I had read
that the lastLogonTimeStamp is replicated only every 14 days because
"replicating more often could generate a large amount of replication
traffic". A somewhat weak excuse given eDirectory manages to replicate
the last login time to all servers holding a replica within seconds of
a login, and with minimal traffic.
John
On May 18, 10:49 am, "Joe Kaplan"
<joseph.e.kap...@removethis.accenture.com> wrote:
> In this case, no, there should not be. I believe you are seeing the
> expected result which is that the computed attribute supports the "locked
> out" and "password expired" states, but not "user cannot change password".
>
> It would appear you have to read the DACL. Given that this is what ADUC
> does according to Joe R., I'm not surprised.
>
> As usual, the documentation could be a little more helpful here. I'm
> ashamed to say that we didn't even remember to cover this setting in ch 10
> of our book. I've never been in a situation where I wanted to use that flag
> and just never thought about it. Oh well. This has been a good education
> for me.
>
> Joe K.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services Programming"http://www.directoryprogramming.net
> --"JRB" <j...@jrbsoftware.com> wrote in message
> >> - Show quoted text -- Hide quoted text -
[1] ADAM only. One day is the minimum for AD IIRC.
Note also. The attribute replicates normally. Internally, the DS doesn't
update it everytime, it uses a rather complex algorith based on the value of
msDS-LogonTimeSyncInterval minus a random interval between 0 and 5.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net