[Samba] Little strangeness on dns-* account...
Marco Gaiarin
gaio at sv.lnf.it
Tue Dec 18 18:13:16 UTC 2018
I've setup a script that scan non-disabled user base, base query:
(&(objectClass=user)(!(objectClass=computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
and for every user i check the 'last password change' data value, doing
some thing (eg, disabling it ;-) if it is too far.
I've found that my script get also some 'dns-*' account; looking at
data i've found that the account associated with the DC with FSMO roles
(and the dc where i've firstly deployed the domain) have:
isCriticalSystemObject: TRUE
while all the other DC NO, so the query:
(&(objectClass=user)(!(objectClass=computer))(!(isCriticalSystemObject=TRUE))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
work as expected, but filter out only the dns-* account of the FSMO
roles DC, not the other DC.
Googling a bit seems that this attribute it is safer NOT to be changed.
Supposing that disabling the dns-* account it is not a so good idea,
how can i filter that account? Only by 'dns-*' name?
Thanks.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/
Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
More information about the samba
mailing list