UserAccountcontrol Problem when creating a user in AD2003

Archived from groups: microsoft.public.windows.server.migration,microsoft.public.it.winserver,microsoft.public.win2000.networking,microsoft.public.windows.server.active_directory,microsoft.public.win2000.active_directory (More info?)

When a user is created in AD2003, the attribute UserAccountcontrol is
assigned a value of 546 by default. When I tried to modify it with
values like 512, 66048 etc error occured viz., "error 53: DSA
Unwilling to perform". I found that the minimum value that is allowed
to replace is 544(512 + 32). 32 represents the flag "Password Not
Reqd". This suggests that this flag is important while user creation.
My question is, can we not create a User in ad2003 with the
UserAccountcontrol value 512? If not, please suggest why? And also, if
there exists any password policy by default, which makes the
PasswdNotReqd flag of the UserAccountcontrol attribute mandatory,
while user creation? Please suggest how to remove that policy from the
AD2003 system?

Thanks
Manoj
4 answers Last reply
More about useraccountcontrol problem creating user ad2003
  1. Archived from groups: microsoft.public.windows.server.migration,microsoft.public.it.winserver,microsoft.public.win2000.networking,microsoft.public.windows.server.active_directory,microsoft.public.win2000.active_directory (More info?)

    manoj.sp@gmail.com wrote:
    > When a user is created in AD2003, the attribute UserAccountcontrol is
    > assigned a value of 546 by default. When I tried to modify it with
    > values like 512, 66048 etc error occured viz., "error 53: DSA
    > Unwilling to perform". I found that the minimum value that is allowed
    > to replace is 544(512 + 32). 32 represents the flag "Password Not
    > Reqd". This suggests that this flag is important while user creation.
    > My question is, can we not create a User in ad2003 with the
    > UserAccountcontrol value 512? If not, please suggest why? And also, if
    > there exists any password policy by default, which makes the
    > PasswdNotReqd flag of the UserAccountcontrol attribute mandatory,
    > while user creation? Please suggest how to remove that policy from the
    > AD2003 system?

    take a look at this:
    How to Use the UserAccountControl Flags to Manipulate User Account
    Properties
    http://support.microsoft.com/default.aspx?scid=kb;en-us;305144

    regards

    --
    Edoardo Benussi - edo@mvps.org
    Microsoft® MVP - Windows Server Networking
    http://mvp.support.microsoft.com
    http://italy.mvps.org
  2. Archived from groups: microsoft.public.windows.server.migration,microsoft.public.it.winserver,microsoft.public.win2000.networking,microsoft.public.windows.server.active_directory,microsoft.public.win2000.active_directory (More info?)

    circa 3 Dec 2004 07:04:43 -0800, in
    microsoft.public.windows.server.active_directory, manoj.sp@gmail.com
    (manoj.sp@gmail.com) said,
    > When a user is created in AD2003, the attribute UserAccountcontrol is
    > assigned a value of 546 by default. When I tried to modify it with
    > values like 512, 66048 etc error occured viz., "error 53: DSA
    > Unwilling to perform". I found that the minimum value that is allowed
    > to replace is 544(512 + 32). 32 represents the flag "Password Not
    > Reqd". This suggests that this flag is important while user creation.
    > My question is, can we not create a User in ad2003 with the
    > UserAccountcontrol value 512? If not, please suggest why? And also, if
    > there exists any password policy by default, which makes the
    > PasswdNotReqd flag of the UserAccountcontrol attribute mandatory,
    > while user creation? Please suggest how to remove that policy from the
    > AD2003 system?
    >
    > Thanks
    > Manoj
    >
    You *can* create accounts with the UserAccountControl value set to
    512, but you need to assign passwords to the accounts when you create
    them. The reason that you are having problems is that Win2K3 by
    default requires complex passwords that are a minimum of 7 characters
    in length, IIRC. The fact that the only way that you're able to
    create your accounts in enabled form is to do it by setting them as
    not needing passwords (bad idea) likely confirms that your Default
    Domain Policy is still set to its default settings. You could change
    your domain's password policy requirements, but it would be wiser to
    create the accounts with appropriate passwords instead, IMO. :-)

    Laura
    --
    Experience is the name every one gives to their mistakes.
    -Oscar Wilde
  3. Archived from groups: microsoft.public.windows.server.migration,microsoft.public.it.winserver,microsoft.public.win2000.networking,microsoft.public.windows.server.active_directory,microsoft.public.win2000.active_directory (More info?)

    You need to create the user object, then set it (setinfo if scripting with
    adsi), then after created go in and set a password and modify useraccountcontrol.

    joe

    --
    Joe Richards Microsoft MVP Windows Server Directory Services
    www.joeware.net


    manoj.sp@gmail.com wrote:
    > When a user is created in AD2003, the attribute UserAccountcontrol is
    > assigned a value of 546 by default. When I tried to modify it with
    > values like 512, 66048 etc error occured viz., "error 53: DSA
    > Unwilling to perform". I found that the minimum value that is allowed
    > to replace is 544(512 + 32). 32 represents the flag "Password Not
    > Reqd". This suggests that this flag is important while user creation.
    > My question is, can we not create a User in ad2003 with the
    > UserAccountcontrol value 512? If not, please suggest why? And also, if
    > there exists any password policy by default, which makes the
    > PasswdNotReqd flag of the UserAccountcontrol attribute mandatory,
    > while user creation? Please suggest how to remove that policy from the
    > AD2003 system?
    >
    > Thanks
    > Manoj
  4. Archived from groups: microsoft.public.windows.server.migration,microsoft.public.it.winserver,microsoft.public.win2000.networking,microsoft.public.windows.server.active_directory,microsoft.public.win2000.active_directory (More info?)

    circa Sat, 04 Dec 2004 12:20:43 -0500, in
    microsoft.public.win2000.active_directory, Joe Richards [MVP]
    (humorexpress@hotmail.com) said,
    >
    > You need to create the user object, then set it (setinfo if scripting with
    > adsi), then after created go in and set a password and modify useraccountcontrol.
    >
    >
    If you use dsadd user, you can do this all in one shot, however. I'm
    not sure how the user is creating the accounts, but perhaps this
    might be an option.

    Laura
    --
    Experience is the name every one gives to their mistakes.
    -Oscar Wilde
Ask a new question

Read More

Windows Server Microsoft Active Directory Windows