Re: UserAccountControl Attribute

Thanks for your time Richard!

It's similar to your explaination but not related to contact objects...it's
specific user objects (enabled user accounts) that appear to be missing those
two attributes.

The developer is here today and he changed the filter to match what you
suggested just to see what would happen but no joy. Everything we've tried
points to missing those two attributes (MEMBEROF and userACCOUNTCONTROL).
How can I view the attributes of the user objects in question?

Chad

"Richard Mueller [MVP]" wrote:

The filter "(objectCategory=user)" will include contact objects as well as
user objects. Contact objects do not have sAMAccountName or
userAccountControl attributes. Does this explain what you experience?

As noted before, the filter should be
"(&(objectCategory=person)(objectClass=user))". This will exclude contact
objects. Contact objects do have cn, mail, and memberOf attributes.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

"Dixson" <Dixson@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:63F3722E-213C-4EF5-A9F5-27A939E5B2B8@xxxxxxxxxxxxxxxx
Thanks for the input fellas. As we continued to dig into this what we've
found is all the user accounts that are found by the query have a count of
6
_hashtable entries...the accounts we're having issues with only have 4.
The
AD atributes 'MEMBEROF' and 'userACCOUNTCONTROL' are not found or
included
in the _hashtable results so when masked with the bit for NORMAL_ACCOUNT
the
results become false.

I beleive the query is written in ASP.net...I'm not the developer but just
the guy trying to get everyone to show on the list.

I believe this is the query:

string[] Parameters = { "samaccountname", "cn", "mail", "memberof",
"useraccountcontrol" };
try
{
DirectoryEntry entry = new DirectoryEntry("LDAP://"; +
AdDomain, AdAccount, AdPassword);
DirectorySearcher Searcher = new DirectorySearcher(entry);
Searcher.Filter = "(objectCategory=" + "user" + ")";
foreach (string parameter in Parameters)
{
Searcher.PropertiesToLoad.Add(parameter);
}
Searcher.Sort.PropertyName = "cn";

XmlElement RowsNode =
(XmlElement)UsersDoc.DocumentElement.SelectSingleNode("Rows");

foreach (SearchResult result in Searcher.FindAll())
{
DirectoryEntry Entry = result.GetDirectoryEntry();

ResultPropertyCollection PropColl = result.Properties;
string AccountName = null;
string CommonName = null;
string EmailAddress = null;
bool NORMAL_ACCOUNT = false;
bool ACCOUNTDISABLE = false;
Int32 AccountControl = 0;

foreach (string Key in PropColl.PropertyNames)
{
if (Key == "samaccountname")
{
AccountName = PropColl[Key][0].ToString();
}
if (Key == "cn")
{
CommonName = PropColl[Key][0].ToString();
}
if (Key == "mail")
{
EmailAddress = PropColl[Key][0].ToString();
}
if (Key == "useraccountcontrol")
{
//http://support.microsoft.com/kb/305144
AccountControl = (Int32)PropColl[Key][0];
NORMAL_ACCOUNT = ((AccountControl & 0x00000200)
0);
ACCOUNTDISABLE = ((AccountControl & 0x00000002)
0);



"Dixson" wrote:

We have a custom application that uses an LDAP query against AD (2000
native)
to provide a list of all active user accounts but, the results of the
query
is missing a handfull of active user accounts. From what I've been able
to
find, all the user accounts in question are not flagged as NORMAL_ACCOUNT
(hex=0x0200, dec=512) but, when I've checked the properties of each
account
in AD there's nothing different from the accounts that appear from the
query.

Can ldp.exe or adsiedit.msc help find what may be different about the
user
accounts in question? If so, is there a good "for dummies" on how to use
these tools?



.

Relevant Pages

  • Re: Access 2003 application with MSDE backend connection error in
    ... I'm trying to create a connection using my deployed application. ... >> our internal network where the MSDE database is installed. ... >> the necessary user accounts to it. ...
    (microsoft.public.access.developers.toolkitode)
  • Re: New business: many questions (mostly on topic...)
    ... I shall probably be leaving Entourage behind for Mail or Eudora. ... That's where you can manage your website, email accounts (via webmail ... or as an IMAP server), other user accounts, ... You also asked about Mac project management software. ...
    (uk.comp.sys.mac)
  • Re: User accounts gone help needes
    ... the existing install and registry are sufficiently damaged. ... If the accounts aren't listed, they weren't created and don't exist. ... The problem is I can not create any new user accounts. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: AD setup questions
    ... Design OUs for GPO application to both user and computer accounts ... Design OUs for delegation of administration of user accounts and groups ... GPOs will inherit down to child OUs, ... IT user accounts, servers, service accounts, IT computer accounts, developer ...
    (microsoft.public.windows.server.active_directory)
  • Re: Windows XP - Password Prblems
    ... Then go to User Accounts in Control Panel. ... If you are using Windows XP Pro and have encrypted data, ... "Bob Harenda" wrote in message ...
    (microsoft.public.windowsxp.security_admin)