[Samba] Account locked and delayed user data propagation...
Rowland penny
rpenny at samba.org
Mon Nov 18 12:15:10 UTC 2019
On 18/11/2019 11:57, Marco Gaiarin via samba wrote:
> Mandi! Rowland penny via samba
> In chel di` si favelave...
>
>> yes, Provided you use the right attribute to search on ;-)
> Ah! ;-)
>
>
> Just i'm here, i test three condition in account flags, eg:
>
> UAC=$(ldbsearch ${LDB_OPTS} -b "${BASEDN}" "(&(objectClass=user)(sAMAccountName=$1))" userAccountControl | grep "^userAccountControl: " | cut -d ' ' -f 2-)
>
> # Old 'D' flag:
> ((($UAC & 2) == 2)) && enabled="false" # 0x00000002
>
> # Old 'X' flag:
> ((($UAC & 65536) == 65536)) && expire="true" # 0x00010000
>
> # Old 'L' glag:
> ((($UAC & 16) == 16)) && locked="true" # 0x00000010
>
> Apart for 'locked', there are better ldap fields also for disabled and
> 'don't expire' flags?
>
>
> Thanks.
>
It is all in the search filter ;-)
For all users who passwords never expire:
(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))
For all disabled users:
(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))
To check if a users account is locked:
(&(objectClass=user)(samaccountname=locktest)(lockoutTime>=0))
Rowland
More information about the samba
mailing list