0 votes

I noticed that newly created accounts set the useraccountcontrol field to

{PASSWD_NOTREQD|NORMAL_ACCOUNT} = 0x220

rather than:

{NORMAL_ACCOUNT} = 0x200

Is there a place to alter this default setting?

by (950 points)

1 Answer

0 votes
by (18.0k points)

Hello,

The PASSWD_NOTREQD flag is set when no password is specified for the new account. Active Directory doesn't allow user creation if the password is empty and this flag is not set.
To force users to specify passwords for new accounts, you can make the Password property required using Property Patterns.
For more details, please see Generate Initial Password on User Creation (on the 3rd step select the Password cannot be empty option).

See also: Set Default Account Options for New Users.

0

I doing something wrong. In our property patterns I've set the password to be required, and set it to a default value. I've also set the UserAccountControl to a default of "Normal", with the other options unchecked.

When I create an account, the password not required setting still appears, in addition to normal.

0

Make sure the Property Pattern affects the user.

  1. Locate the newly created user in the Console Tree (Administration Console).
  2. Right click the user, and click Properties in the context menu.
  3. Activate the Effective Objects tab.
  4. Click Property Patterns. Your Property Pattern must be in the list.
0

My property pattern is listed under the user's account properties, under the effective property patterns.

0

Please post a screenshot of your property pattern.

0

Another thing, If your property pattern is assigned over members of a group or Business Unit, it will not not be effective during user creation.

0

0

Is the property pattern assigned over All Objects?

0

Yes - sorry I cut that portion off earlier....

0

The other property patterns are enforced, just not the default account control values.

0

There are 2 possible reasons for why the password is not marked required:

  1. You are creating the user not in the na.vul.com domain.
  2. There is another property pattern that also applies to the Password property.

Can you please post a screenshot of the user creation form. Also, please click the

button for the Password property and post a screenshot of the the dialog that will open.

0


I uploaded our user creation form, along with the password property.

I went ahead and created a custom exe that is launched from a Business Rule that removes the PASSWD_NOTREQD Attribute from the useraccountcontrol field. It is applied every time a user account is created. This works for us and solves the issue.

It looks like this:
c:\utils\FixUserAccountControl.exe %sAMAccountName% %adm-InitiatorUserName%

0

It is possible to do it using the Update User Business Rule action.
Just add 'Update the User' action to your Business Rule, select the Account Options property in the list of available properties, and check all the options you need.

0

Judging by the screenshot you posted, the Property Pattern is applied correctly to the Password property and works as expected. Is the 'No Password Required' flag set after you create a user with a non-empty password?

0

Is the 'No Password Required' flag set after you create a user with a non-empty password? - Yes.

Also - I did try to remove the attribute via the Update User function and the user account control. This selector is disabled for the removal function (not the update).


For what it's worth - we are on AD 2003.

0

Is the 'No Password Required' flag set after you create a user with a non-empty password? - Yes.

Hmm, it looks like a bug. Our QA team will investigate it.

Also - I did try to remove the attribute via the Update User function and the user account control. This selector is disabled for the removal function (not the update).

Ah, of course. Sorry, my bad.
You can do it with the help of a PowerShell script:

Import-Module Adaxes

$userDN = "%distinguishedName%";
$userDomain = $Context.GetObjectDomain($userDN);
$ADS_UF_PASSWD_NOTREQD = 0x00000020;

$user = Get-AdmUser $userDN -Properties userAccountControl -Server $userDomain
$user.userAccountControl = $user.userAccountControl -band (-bnot($ADS_UF_PASSWD_NOTREQD));
Set-AdmUser $user -Server $userDomain
0

I just wanted to express my appreciation for your product and support. Both are outstanding and a pleasure to work with.

0

Thank you! :)

0

Hello,

Yesterday we released a new version of Adaxes (2012.1). Using the new version you can automatically update Account Options of user accounts using a special action - Modify Account Options:

Related questions

0 votes
1 answer

Hi there, Is there a way to change the default view control from TreeView to ListView for new users? We have a setup where, when using listview you can choose only " ... to select the OU between the root and the Users-OU. Example Treeview: Example ListView:

asked May 23, 2018 by GiZmO (50 points)
0 votes
1 answer

Dear Support, Is it possible in "generate default value" section of pattern for multivalued attribute to provide more than 1 value from "must be one of" section? E.g. Pattern ... E" and to have default generated values in web interface "A,C" Thanks for advise!

asked Jul 7, 2020 by Dmytro.Rudyi (920 points)
0 votes
1 answer

We are trying to enforce better consistency for user attribute values in a domain but without overly restricting user input when modifying/creating users. Is it possible to ... to these fields and create Custom Commands to change them which is very tedious.

asked Mar 21, 2019 by Staj (350 points)
0 votes
1 answer

Hi, I am trying to setup a Home Page action in the Help Desk portal to modify a User account, for this i want to specify the default value of a property to be the ... the user account i am modifying to get the default value? Thanks in advance for any help!

asked Dec 1, 2016 by sam.webster (370 points)
0 votes
1 answer

We have a form to used by our HR Reps to create non-employee records. There are two fields on the form that are auto-generated via a property pattern: Full Name ( ... changed to cause this new behavior? Nothing has changed with our property pattern set-up...

asked Aug 30, 2016 by sandramnc (870 points)
3,326 questions
3,026 answers
7,727 comments
544,678 users