Not able to disable the user useraccountcontrol 546 (Network Steve Forum)

Not able to disable the user useraccountcontrol 546

Hello All,

We are using SAP based identity tool for creation and deletion of Active directory users. In Active directory we have recently promoted 2012 Domain Controllers. We have provided all the necessary rights to the tool for creating and deleting the users.

For the last 4 years that tool always uses 544 upon creation of id, with 2008 r2 sp1 Domain Controllers. But last few days the Ad ids are not able to disable via 546. Attached is the error seen in identity tool.

Apart from Domain controller change from 2008 r2 to 2012 r2, there was not a single change in AD? Is there any difference in user account control in 2008 r2 to 2012 r2?

September 8th, 2015 6:27pm

In your error it states ldap error insufficient right... You also mention 544 and 546, are these event IDs? what does the security log on your PDC give you when this error occurs? Below is the link to the MSDN article describing this attribute, no changes though (there wouldn't be changes if you just updated the servers but not the AD forest). https://msdn.microsoft.com/en-us/library/ms680832%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396

Free Windows Admin Tool Kit Click here and download it now

September 8th, 2015 8:23pm

The value 544 for userAccountControl means: normal user + password not required. The value 546 means the same, plus account disabled. There is no change in userAccountControl with the introduction of Windows Server 2012.

The error indicates lack of permissions. What were you doing when you got the error? Are you saying you were able to create the user, but were not able to disable the account? Also, rights need to be granted to the user creating or modifying the user accounts, not the tool being used.

Edit: I should note that it is not recommended to use "password not required". This is a security issue. You probably got the error either because you attempted to enable an account with this setting, or the account does not have a password. This could well have changed with Windows Server

September 9th, 2015 12:40am

512- Normal_Account

514- normal-Acocunt

544 - ADS_UF_PASSWD_NOTREQD

546- ADS_UF_PASSWD_NOTREQD

66048-ADS_UF_DONT_EXPIRE_PASSWD

66050-ADS_UF_DONT_EXPIRE_PASSWD

66080-ADS_UF_PASSWD_NOTREQD & ADS_UF_DONT_EXPIRE_PASSWD

66082-ADS_UF_PASSWD_NOTREQD & ADS_UF_DONT_EXPIRE_PASSWD

UserAccountControl HexaDecimal Value

Hexadecimal value	Identifier (defined in iads.h)	Description
0x00000001	ADS_UF_SCRIPT	The logon script is executed.
0x00000002	ADS_UF_ACCOUNTDISABLE	The user account is disabled.
0x00000008	ADS_UF_HOMEDIR_REQUIRED	The home directory is required.
0x00000010	ADS_UF_LOCKOUT	The account is currently locked out.
0x00000020	ADS_UF_PASSWD_NOTREQD	No password is required.
0x00000040	ADS_UF_PASSWD_CANT_CHANGE	The user cannot change the password. Note You cannot assign the permission settings of PASSWD_CANT_CHANGE by directly modifying the UserAccountControl attribute. For more information and a code example that shows how to prevent a user from changing the password, see User Cannot Change Password. :
0x00000080	ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED	The user can send an encrypted password.
0x00000100	ADS_UF_TEMP_DUPLICATE_ACCOUNT	This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. Also known as a local user account.
0x00000200	ADS_UF_NORMAL_ACCOUNT	This is a default account type that represents a typical user.
0x00000800	ADS_UF_INTERDOMAIN_TRUST_ACCOUNT	This is a permit to trust account for a system domain that trusts other domains.
0x00001000	ADS_UF_WORKSTATION_TRUST_ACCOUNT	This is a computer account for a computer that is a member of this domain.
0x00002000	ADS_UF_SERVER_TRUST_ACCOUNT	This is a computer account for a system backup domain controller that is a member of this domain.
0x00004000	N/A	Not used.
0x00008000	N/A	Not used.
0x00010000	ADS_UF_DONT_EXPIRE_PASSWD	The password for this account will never expire.
0x00020000	ADS_UF_MNS_LOGON_ACCOUNT	This is an MNS logon account.
0x00040000	ADS_UF_SMARTCARD_REQUIRED	The user must log on using a smart card.
0x00080000	ADS_UF_TRUSTED_FOR_DELEGATION	The service account (user or computer account), under which a service runs, is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service.
0x00100000	ADS_UF_NOT_DELEGATED	The security context of the user will not be delegated to a service even if the service account is set as trusted for Kerberos delegation.
0x00200000	ADS_UF_USE_DES_KEY_ONLY	Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
0x00400000	ADS_UF_DONT_REQUIRE_PREAUTH	This account does not require Kerberos pre-authentication for logon.
0x00800000	ADS_UF_PASSWORD_EXPIRED	The user password has expired. This flag is created by the system using data from the Pwd-Last-Set attribute and the domain policy.
0x01000000	ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION	The account is enabled for delegation. This is a security-sensitive setting; accounts with this option enabled should be strictly controlled. This setting enables a service running under the account to assume a client identity and authenticate as that user to other remote servers on the network.

Free Windows Admin Tool Kit Click here and download it now

September 9th, 2015 3:55am

As mentioned by <Richard> above, LDAP: error code 50 - 00002098 indicates a permissions configuration issue on the LDAP side. Check if your LDAP bind user has the right permission to make the change. If not, you need to grant/delegate proper permission to the user.

Regards,

Eth

September 14th, 2015 12:23am

This topic is archived. No further replies will be accepted.