modification of userAccountControl according to MS-SAMR 3.1.1.8.1.

Andrew Bartlett abartlet at samba.org
Wed Jan 12 15:04:42 MST 2011


On Wed, 2011-01-12 at 23:42 +0200, Anatoliy Atanasov wrote:
> Hi Matthias,
> 
> Kamen and I stumbled upon a code that modifies the userAccountControl attribute of a user object, when it shouldn't.
> We noticed that when you add a user with userAccountControl 66080 it ends up with 66082, which means that the account is disabled.

Isn't this what Windows does?

> The code modifies the userAccountControl of a user that is being added to the database and the documentation regarding the change of that attribute states:
> "If the value of the userAccountControl attribute _in_the_database_ contains a bit that is specified in the following table, the userAccountControl attribute MUST be updated with the corresponding bit(s) using a bitwise OR."
> 
> The add operation is still an originating update, but in this case the attribute isn't in the database and shouldn't be modified.
> 
> Do you agree to change it?

I'm rather confused, can you please give an example where Windows does
not disable the account on add? 

Is this based just on a reading of the docs, or a specific test?  If
it's a test, can you give some more detail on what you have tested?

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.



More information about the samba-technical mailing list