Sign in with
Sign up | Sign in
Your question

UserAccountcontrol Problem when creating a user in AD2003

Last response: in Windows 2000/NT
Share
Anonymous
December 3, 2004 10:04:43 AM

Archived from groups: microsoft.public.windows.server.migration,microsoft.public.it.winserver,microsoft.public.win2000.networking,microsoft.public.windows.server.active_directory,microsoft.public.win2000.active_directory (More info?)

When a user is created in AD2003, the attribute UserAccountcontrol is
assigned a value of 546 by default. When I tried to modify it with
values like 512, 66048 etc error occured viz., "error 53: DSA
Unwilling to perform". I found that the minimum value that is allowed
to replace is 544(512 + 32). 32 represents the flag "Password Not
Reqd". This suggests that this flag is important while user creation.
My question is, can we not create a User in ad2003 with the
UserAccountcontrol value 512? If not, please suggest why? And also, if
there exists any password policy by default, which makes the
PasswdNotReqd flag of the UserAccountcontrol attribute mandatory,
while user creation? Please suggest how to remove that policy from the
AD2003 system?

Thanks
Manoj
Anonymous
December 3, 2004 8:24:09 PM

Archived from groups: microsoft.public.windows.server.migration,microsoft.public.it.winserver,microsoft.public.win2000.networking,microsoft.public.windows.server.active_directory,microsoft.public.win2000.active_directory (More info?)

manoj.sp@gmail.com wrote:
> When a user is created in AD2003, the attribute UserAccountcontrol is
> assigned a value of 546 by default. When I tried to modify it with
> values like 512, 66048 etc error occured viz., "error 53: DSA
> Unwilling to perform". I found that the minimum value that is allowed
> to replace is 544(512 + 32). 32 represents the flag "Password Not
> Reqd". This suggests that this flag is important while user creation.
> My question is, can we not create a User in ad2003 with the
> UserAccountcontrol value 512? If not, please suggest why? And also, if
> there exists any password policy by default, which makes the
> PasswdNotReqd flag of the UserAccountcontrol attribute mandatory,
> while user creation? Please suggest how to remove that policy from the
> AD2003 system?

take a look at this:
How to Use the UserAccountControl Flags to Manipulate User Account
Properties
http://support.microsoft.com/default.aspx?scid=kb;en-us;305144

regards

--
Edoardo Benussi - edo@mvps.org
Microsoft® MVP - Windows Server Networking
http://mvp.support.microsoft.com
http://italy.mvps.org
Anonymous
December 4, 2004 2:16:00 AM

Archived from groups: microsoft.public.windows.server.migration,microsoft.public.it.winserver,microsoft.public.win2000.networking,microsoft.public.windows.server.active_directory,microsoft.public.win2000.active_directory (More info?)

circa 3 Dec 2004 07:04:43 -0800, in
microsoft.public.windows.server.active_directory, manoj.sp@gmail.com
(manoj.sp@gmail.com) said,
> When a user is created in AD2003, the attribute UserAccountcontrol is
> assigned a value of 546 by default. When I tried to modify it with
> values like 512, 66048 etc error occured viz., "error 53: DSA
> Unwilling to perform". I found that the minimum value that is allowed
> to replace is 544(512 + 32). 32 represents the flag "Password Not
> Reqd". This suggests that this flag is important while user creation.
> My question is, can we not create a User in ad2003 with the
> UserAccountcontrol value 512? If not, please suggest why? And also, if
> there exists any password policy by default, which makes the
> PasswdNotReqd flag of the UserAccountcontrol attribute mandatory,
> while user creation? Please suggest how to remove that policy from the
> AD2003 system?
>
> Thanks
> Manoj
>
You *can* create accounts with the UserAccountControl value set to
512, but you need to assign passwords to the accounts when you create
them. The reason that you are having problems is that Win2K3 by
default requires complex passwords that are a minimum of 7 characters
in length, IIRC. The fact that the only way that you're able to
create your accounts in enabled form is to do it by setting them as
not needing passwords (bad idea) likely confirms that your Default
Domain Policy is still set to its default settings. You could change
your domain's password policy requirements, but it would be wiser to
create the accounts with appropriate passwords instead, IMO. :-)

Laura
--
Experience is the name every one gives to their mistakes.
-Oscar Wilde
Related resources
Anonymous
December 4, 2004 3:20:43 PM

Archived from groups: microsoft.public.windows.server.migration,microsoft.public.it.winserver,microsoft.public.win2000.networking,microsoft.public.windows.server.active_directory,microsoft.public.win2000.active_directory (More info?)

You need to create the user object, then set it (setinfo if scripting with
adsi), then after created go in and set a password and modify useraccountcontrol.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


manoj.sp@gmail.com wrote:
> When a user is created in AD2003, the attribute UserAccountcontrol is
> assigned a value of 546 by default. When I tried to modify it with
> values like 512, 66048 etc error occured viz., "error 53: DSA
> Unwilling to perform". I found that the minimum value that is allowed
> to replace is 544(512 + 32). 32 represents the flag "Password Not
> Reqd". This suggests that this flag is important while user creation.
> My question is, can we not create a User in ad2003 with the
> UserAccountcontrol value 512? If not, please suggest why? And also, if
> there exists any password policy by default, which makes the
> PasswdNotReqd flag of the UserAccountcontrol attribute mandatory,
> while user creation? Please suggest how to remove that policy from the
> AD2003 system?
>
> Thanks
> Manoj
Anonymous
December 5, 2004 8:47:49 PM

Archived from groups: microsoft.public.windows.server.migration,microsoft.public.it.winserver,microsoft.public.win2000.networking,microsoft.public.windows.server.active_directory,microsoft.public.win2000.active_directory (More info?)

circa Sat, 04 Dec 2004 12:20:43 -0500, in
microsoft.public.win2000.active_directory, Joe Richards [MVP]
(humorexpress@hotmail.com) said,
>
> You need to create the user object, then set it (setinfo if scripting with
> adsi), then after created go in and set a password and modify useraccountcontrol.
>
>
If you use dsadd user, you can do this all in one shot, however. I'm
not sure how the user is creating the accounts, but perhaps this
might be an option.

Laura
--
Experience is the name every one gives to their mistakes.
-Oscar Wilde
!