On 30 Oct 2008, at 16:00, Rich Megginson <rmeggins at redhat.com> wrote: > John Dickinson wrote: >> Hi, >> >> I am testing what happens when you create a new user and sync it to >> AD. Using Fedora DS 1.1.3 and AD 2003 R2 SP2. >> >> If I use the console to create a new user and tick the Enable NT User >> Attributes, Create New NT Account etc the new user appears in AD but >> is disabled. >> >> Looking at the code it seems that send_accountcontrol_modify() gets >> the userAccountControl settings from AD adds 0x0200 (Normal Account) >> and sends it back. >> >> Looking at the traffic between Fedora DS and AD it appears that >> Fedora >> DS is getting ACCOUNTDISABLE in userAccountControl from AD. >> >> Should FedoraDS be unsetting ACCOUNTDISABLE or should AD not be >> setting it in the first place? If it is a problem with AD then can >> anyone point me to where I tell it to do the right thing? > Does AD have some sort of setting that tells it to disable new > accounts? Not that I know about. But I am no windows expert. > What happens if you create new accounts directly in AD? When you create a new user in windows there is a tick box to disable the account but it is not ticked by default and the user is created in an enabled state. I see the following when: - Both Windows and Fedora DS set to enforce no password complexity constraints - Windows sync agreement and password sync working - When creating a user in AD only one option is selected by default - user must change password at next login. - The following options are not ticked by default: -- User cannot change password -- Password never expires -- Account is disabled create user in AD userAccountControl: 512 (Normal) create user in Fedora DS (console) userAccountControl: 546 (Normal + PASSWD_NOTREQ + ACCOUNTDISABLE) Would there be anything wrong with Fedora DS just forcing userAccountControl = 512? Or are more options needed in the user creation dialog? John
