[Samba] Little strangeness on dns-* account...

Marco Gaiarin gaio at sv.lnf.it
Tue Dec 18 18:13:16 UTC 2018


I've setup a script that scan non-disabled user base, base query:

	(&(objectClass=user)(!(objectClass=computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

and for every user i check the 'last password change' data value, doing
some thing (eg, disabling it ;-) if it is too far.

I've found that my script get also some 'dns-*' account; looking at
data i've found that the account associated with the DC with FSMO roles
(and the dc where i've firstly deployed the domain) have:

	isCriticalSystemObject: TRUE

while all the other DC NO, so the query:

	(&(objectClass=user)(!(objectClass=computer))(!(isCriticalSystemObject=TRUE))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

work as expected, but filter out only the dns-* account of the FSMO
roles DC, not the other DC.


Googling a bit seems that this attribute it is safer NOT to be changed.


Supposing that disabling the dns-* account it is not a so good idea,
how can i filter that account? Only by 'dns-*' name?


Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)



More information about the samba mailing list