Subject: Bumpy road to add user into Active Directory -- userAccountControl=544
Author: JNDI
In response to: Bumpy road to add user into Active Directory -- userAccountControl=default
Posted on: 10/03/2012 08:38:24 PM
Let's force it to be enabled:
try {
// Create the initial context
DirContext ctx = new InitialDirContext(env);
// Attributes to represent the user
Attributes attrs = new BasicAttributes(true); // case-ignore
// objectClass
Attribute attr = new BasicAttribute("objectClass");
attr.add("top");
attr.add("person");
attr.add("organizationalPerson");
attr.add("user");
attrs.put(attr);
// MAY attribute
attrs.put("cn", "John Smith");
attrs.put("givenName", "John");
attrs.put("sn", "Smith");
attrs.put("userPassword", "password");
attrs.put("userAccountControl", "544");
// Create the user account
ctx.createSubcontext(
"cn=John Smith,CN=Users,DC=myCompany,DC=com",
attrs);
// close
ctx.close();
} catch (NamingException e) {
e.printStackTrace();
}
Here,
544 = 512(NORMAL_ACCOUNT) + 32(PASSWD_NOTREQD) which intentionally flags the account NOT as: ACCOUNTDISABLE. But when this account is used for authentication, you still get the same error as before:
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9,
comment: AcceptSecurityContext error, data 52e, v1db1Wait a minute, look at the flag
32(PASSWD_NOTREQD). Does that means what the user provided through
userPassword was not even treated as password?
>
> On 10/03/2012 08:33:43 PM
JNDI wrote:
UserAccountControl is Active Directory's attribute that can control the behavior of user account. With this attribute, Active Directory can prevent unauthorized changes from messing up the user account. The value that is assigned to the attribute is cumulative with the most common flags as listed below:
2 -- ACCOUNTDISABLE
32 -- PASSWD_NOTREQD
512 -- NORMAL_ACCOUNT
For details, please check at: http://support.microsoft.com/kb/305144
The user account created in the above example bears the attribute userAccountControl with value of 546, which is default.
dn: cn=John Smith,CN=Users,DC=myCompany,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
sAMAccountName: $N41000-S9ETGFD3FG6DS
userPassword:: DA9sjHg7y9UW8bf==
cn: John Smith
givenName: John
sn: Smith
userAccountControl: 546
Here, 546 = 512(NORMAL_ACCOUNT) + 32(PASSWD_NOTREQD) + 2(ACCOUNTDISABLE) which internally flags the account as: ACCOUNTDISABLE. That perfectly explains why the above newly added account is useless.
References:
