544 useraccountcontrol account enabled, password not required??

hi,

i have gone through the message threads on this and i see many
different interpretations.

if i have users with a 544 does it really mean they don't require
passwords? is it really over-riding domain policy?

is it an artifact of a migration or a script?

i do see a password last set date and it is past the account creation
date, but usually way older than the domain password age rule.

sometimes i don't see a last logon timestamp.

i'd really like to pin this down.

thanks.

512 = normal account
32 = password not required --> this means it is NOT required to have a
password, and yes it overriders the PWD policy. Although configured it cal
still have a password
see: http://support.microsoft.com/kb/305144


when you create a user through a command line tool, it will have
useraccountcontrol of 546, which in addition to the above means the user is
disabled

ADMOD -replacedn XXX-DOMAIN-XXX:_default -add -b "CN=Jorge de Almeida
Pinto,OU=Users,OU=HISTORY1,OU=Org-Users,XXX-OMAIN-XXX" "objectClass::user"
"sAMAccountName::JPINTO"
"userPrincipalName::JPINTO@%USERDNSDOMAIN%" -kerbenc "unicodePwd::pwd"

although I specify a password it still disables the user object. So, it is
better to specify the useraccountcontrol attribute value as well when
creating objects so that in the end you get what you want

if the user object should be enabled
ADMOD -replacedn XXX-DOMAIN-XXX:_default -add -b "CN=Jorge de Almeida
Pinto,OU=Users,OU=HISTORY1,OU=Org-Users,XXX-OMAIN-XXX" "objectClass::user"
"sAMAccountName::JPINTO"
"userPrincipalName::JPINTO@%USERDNSDOMAIN%" -kerbenc "unicodePwd::pwd"
"userAccountControl::512"

if the user object should be disabled
ADMOD -replacedn XXX-DOMAIN-XXX:_default -add -b "CN=Jorge de Almeida
Pinto,OU=Users,OU=HISTORY1,OU=Org-Users,XXX-OMAIN-XXX" "objectClass::user"
"sAMAccountName::JPINTO"
"userPrincipalName::JPINTO@%USERDNSDOMAIN%" -kerbenc "unicodePwd::pwd"
"userAccountControl::514"


--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"nlehrer" <nlehrer@yahoo.com> wrote in message
news:29b48acf-829c-43a0-9b10-ff97b0a3e4e8@a1g2000hsb.googlegroups.com...
> hi,
>
> i have gone through the message threads on this and i see many
> different interpretations.
>
> if i have users with a 544 does it really mean they don't require
> passwords? is it really over-riding domain policy?
>
> is it an artifact of a migration or a script?
>
> i do see a password last set date and it is past the account creation
> date, but usually way older than the domain password age rule.
>
> sometimes i don't see a last logon timestamp.
>
> i'd really like to pin this down.
>
> thanks.