UserAccountcontrol Problem when creating a user in AD2003

[manoj.sp]

When a user is created in AD2003, the attribute UserAccountcontrol is
assigned a value of 546 by default. When I tried to modify it with
values like 512, 66048 etc error occured viz., "error 53: DSA
Unwilling to perform". I found that the minimum value that is allowed
to replace is 544(512 + 32). 32 represents the flag "Password Not
Reqd". This suggests that this flag is important while user creation.
My question is, can we not create a User in ad2003 with the
UserAccountcontrol value 512? If not, please suggest why? And also, if
there exists any password policy by default, which makes the
PasswdNotReqd flag of the UserAccountcontrol attribute mandatory,
while user creation? Please suggest how to remove that policy from the
AD2003 system?

Thanks
Manoj

 

[Edoardo Benussi [MVP]]

When a user is created in AD2003, the attribute UserAccountcontrol is
assigned a value of 546 by default. When I tried to modify it with
values like 512, 66048 etc error occured viz., "error 53: DSA
Unwilling to perform". I found that the minimum value that is allowed
to replace is 544(512 + 32). 32 represents the flag "Password Not
Reqd". This suggests that this flag is important while user creation.
My question is, can we not create a User in ad2003 with the
UserAccountcontrol value 512? If not, please suggest why? And also, if
there exists any password policy by default, which makes the
PasswdNotReqd flag of the UserAccountcontrol attribute mandatory,
while user creation? Please suggest how to remove that policy from the
AD2003 system?

take a look at this:
How to Use the UserAccountControl Flags to Manipulate User Account
Properties
http://support.microsoft.com/default.aspx?scid=kb;en-us;305144

regards

 

[Laura A. Robinson]

circa 3 Dec 2004 07:04:43 -0800, in
microsoft.public.windows.server.active_directory, (e-mail address removed)
([email protected]) said,

When a user is created in AD2003, the attribute UserAccountcontrol is
assigned a value of 546 by default. When I tried to modify it with
values like 512, 66048 etc error occured viz., "error 53: DSA
Unwilling to perform". I found that the minimum value that is allowed
to replace is 544(512 + 32). 32 represents the flag "Password Not
Reqd". This suggests that this flag is important while user creation.
My question is, can we not create a User in ad2003 with the
UserAccountcontrol value 512? If not, please suggest why? And also, if
there exists any password policy by default, which makes the
PasswdNotReqd flag of the UserAccountcontrol attribute mandatory,
while user creation? Please suggest how to remove that policy from the
AD2003 system?

Thanks
Manoj

You *can* create accounts with the UserAccountControl value set to
512, but you need to assign passwords to the accounts when you create
them. The reason that you are having problems is that Win2K3 by
default requires complex passwords that are a minimum of 7 characters
in length, IIRC. The fact that the only way that you're able to
create your accounts in enabled form is to do it by setting them as
not needing passwords (bad idea) likely confirms that your Default
Domain Policy is still set to its default settings. You could change
your domain's password policy requirements, but it would be wiser to
create the accounts with appropriate passwords instead, IMO.

Laura

 

[Joe Richards [MVP]]

You need to create the user object, then set it (setinfo if scripting with
adsi), then after created go in and set a password and modify useraccountcontrol.

joe

 

[Laura A. Robinson]

circa Sat, 04 Dec 2004 12:20:43 -0500, in
microsoft.public.win2000.active_directory, Joe Richards [MVP]
([email protected]) said,

You need to create the user object, then set it (setinfo if scripting with
adsi), then after created go in and set a password and modify useraccountcontrol.

If you use dsadd user, you can do this all in one shot, however. I'm
not sure how the user is creating the accounts, but perhaps this
might be an option.

Laura