Wednesday, June 15, 2011

Active Directory userAccountControl and LDS

Active Directory user accounts have an attribute called userAccountControl which is used to control items such as Account Lockout, Account Disabled, Password Never Expires, User Cannot Change Password etc. This is determined by an integer value... based on the value the system knows which options are enabled and which are disabled. The value 512 is the base value for all normal user accounts. To understand all integers that make this attribute work please refer to the following KB article.

http://support.microsoft.com/kb/305144

AD LDS (ADAM) does not support the userAccountControl attribute. Instead, AD LDS uses several individual attributes to hold the information that is contained in the flags of the userAccountControl attribute.

For a list of these attributes please refer to the following MSDN article:


http://msdn.microsoft.com/en-us/library/aa772124.aspx


Any userAccountControl flags that are not listed below are not supported by AD LDS.

6 comments:

  1. Excellent Article! I personally really appreciate your post. This is a great website. I will make sure that I stop back again!.
    data recovery colorado

    ReplyDelete
  2. Hi Clint,

    I have MS win2008 R2, AD server DC with LDAP servies eanbled on it. Also am MS Exch 2010 server with it.
    My third party devices of Cisco are getting AD account synchronization, but i can see all my users accounts in the Management of cisco call manager console. but when i try to login to the cisco device Call manager, it give be BAD Credentials error, can you please help me in this regard.

    Bundle of Thanks,

    MAZ

    ReplyDelete
  3. Hi Maz,

    Sure I'm happy to assist please get in contact with me by flicking through an email to Clint.boessen@avantgardetechnologies.com.au

    ReplyDelete
  4. Clint,

    Does the msDS-UserAccountDisabled attribute need to be created/populated with a value in ADAM / LDS? Or is it a default account attribute? I have tried every variation of syntax to query this value from a 3rd party LDAP solution and cannot get a result returned (querying for the value itself, querying for accounts whose attribute = TRUE, etc.). Is there a specific syntax I should be using? I tried using a query filter where (msDS-UserAccountDisabled=TRUE) or (msDS-UserAccountDisabled=1) or (msDS-UserAccountDisabled=0x1), etc. Tried variations of the variable name with full hyphens as displayed in one of the articles, etc.

    On a related note, do you know if the actual AD attribute userAccountDisabled can be proxied by LDS back to LDS (like password).

    When and if I am able to query the attribute successfully, will the value of the attribute need to be added to a LDIF sync from AD to keep the 'different' attribute in LDS in sync with the source AD? Or is this something that will be updated 'automatically'?

    Thanks in advance.

    Bill

    ReplyDelete
  5. Helpful article, thanks for this information to control items like account lockout, account disabled, password never expires etc. I got good tool from http://www.lepide.com/active-directory-self-service/ that provides the facilitate to unlock accounts, reset password and update the personal information in the Active Directory environment.

    ReplyDelete
  6. After being in relationship with George for five years,he broke up with me, I did everything possible to bring him back but all was in vain, I wanted him back so much because of the love I have for him, I begged him with everything, I made promises but he refused. I explained my problem to someone online and she suggested that I should contact a spell caster that could help me cast a spell to bring him back but I am the type that don't believed in spell, I had no choice than to try it, I meant a spell caster called DR Mako and I email him, and he told me there was no problem that everything will be okay before three days, that my ex will return to me before three days, he cast the spell and surprisingly in the second day, it was around 6pm. My ex called me, I was so surprised, I answered the call and all he said was that he was so sorry for everything that happened, that he wanted me to return to him, that he loves me so much. I was so happy and went to him, that was how we started living together happily again. Since then, I have made promise that anybody I know that have a relationship problem, I would be of help to such person by referring him or her to the only real and powerful spell caster who helped me with my own problem and who is different from all the fake ones out there. Anybody could need the help of the spell caster, his email: Makospelltemple@yahoo.com or call him :+2348108737816

    ReplyDelete