Active Directory Users missing attribute
Hello everyone,
I am writing a script that retrieves some Active Directory users, and writes them to a text-file. In this script, i used a filter to retrieve only the users which have the 'PasswordNeverExpires' attribute. I've learned that this attribute, along with others, is stored in the 'userAccountControl' attribute.
When i checked our AD users in an LDAP browser, i noticed that 80% of our users don't have a userAccountControl attribute, thus also no 'PasswordNeverExpires' ?! Then i checked some users in Server Manager, and they all do have the PasswordNeverExpires property enabeled, so no problem there. Does anybody know how this is possible?
I also noticed that all our users who do have a 'userAccountControl' attribute, are in an administrator group. Could this have something to do with that? Our LDAP runs on a Windows 2008 server.
Many thanks in advance,
Re: Active Directory Users missing attribute
Can you look in MMC options, Active Directory Users and Computers, from 2008 server, then there is an Advanced box in one of the menus. Once you enable that, you get an extra tab on each user, where you can see all the attributes in the list, so make sure. Then via ADSI Edit MMC you can look at the schema definition and see what the ldap name is. It is possible that the LDAP name is not quite what you would expect. Hope that helps you out.
Re: Active Directory Users missing attribute
Hi James,
First of all, thank you so much for your help. I enabled the Advanced Features box like you said, and now i can see every attribute a user has.
I've noticed that all our users do have an userAccountControl attribute, i just couldn't see them before.
I'm still dealing with an issue though. My script can't retrieve those users from AD, of which i first couldn't see their UAC attribute. So i can retrieve the names of all administrators, but when i try to retrieve the name of a normal user, my script fails with an error (The directory property cannot be found in the cache). Perhaps you know what could be causing this?
Many thanks in advance,
Re: Active Directory Users missing attribute
Quote:
I'm still dealing with an issue though. My script can't retrieve those users from AD, of which i first couldn't see their UAC attribute. So i can retrieve the names of all administrators, but when i try to retrieve the name of a normal user, my script fails with an error (The directory property cannot be found in the cache). Perhaps you know what could be causing this?
Can you just post a small part of the script that is failing so that i can have a better idea of the issue you are facing and will try to help you with the same.
Re: Active Directory Users missing attribute
I just found the problem. In my script, i execute a query on our ldap. I didn't insert credentials in my adodb connection, causing the query to be executed by a default user, and this default user didnt have the required permissions to retrieve the users. So i inserted credentials of an admin user, and the problem was solved. Thanks everyone for looking into my problem!