modification of userAccountControl according to MS-SAMR 3.1.1.8.1.
Rafal Szczesniak
mimir at samba.org
Thu Jan 13 00:37:31 MST 2011
On Thu, Jan 13, 2011 at 09:04:42AM +1100, Andrew Bartlett wrote:
> On Wed, 2011-01-12 at 23:42 +0200, Anatoliy Atanasov wrote:
> > Hi Matthias,
> >
> > Kamen and I stumbled upon a code that modifies the userAccountControl attribute of a user object, when it shouldn't.
> > We noticed that when you add a user with userAccountControl 66080 it ends up with 66082, which means that the account is disabled.
>
> Isn't this what Windows does?
Yes, it is.
> > The code modifies the userAccountControl of a user that is being added to the database and the documentation regarding the change of that attribute states:
> > "If the value of the userAccountControl attribute _in_the_database_ contains a bit that is specified in the following table, the userAccountControl attribute MUST be updated with the corresponding bit(s) using a bitwise OR."
> >
> > The add operation is still an originating update, but in this case the attribute isn't in the database and shouldn't be modified.
> >
> > Do you agree to change it?
>
> I'm rather confused, can you please give an example where Windows does
> not disable the account on add?
>
> Is this based just on a reading of the docs, or a specific test? If
> it's a test, can you give some more detail on what you have tested?
Since this applies to the originating update of the objectClass attribute and I don't
really see any way of updating it other than adding an account this makes sense perfectly
- newly created account is disabled.
cheers,
--
Rafal Szczesniak
Samba Team member http://www.samba.org
Likewise Software http://www.likewise.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20110113/f819d2c9/attachment.pgp>
More information about the samba-technical
mailing list