Thursday, July 27, 2006

msDs-User-Account-Control-Computed Not So Spiffy

You learn something new everyday.  I had been under the mistaken belief that the new ‘msDs-User-Account-Control-Computed’ attribute was a sexier and more accurate version of the older, non-constructed ‘userAccountControl’.  In fact, I believe it might have been me that wrote words to that effect in the book.

Yeah… well… whoops.  An errata post is coming.

If we recap what we did not like about ‘userAccountControl’ it was that it did not accurately reflect all the user flags (PasswordExpired, PasswordCannotChange, and AccountLockout specifically) for the LDAP provider.  It would seem natural that the ‘msDs-User-Account-Control-Computed’ attribute was identical to the ‘userAccountControl’ attribute, but also accurately reflected those 3 flags.  At least for Active Directory, this is just not true.  It turns out that this sucker will be zero for everything except AccountLockout and PasswordExpired.  Boo, hiss…

So, what seemed like a promising replacement for an all-in-one user flags smorgasbord, is in fact a bit of an anorexic turd.  Why MS chose this particular behavior is beyond me…

The moral of the story?  You are still stuck with using both attributes – and even then you can’t get an accurate PasswordCannotChange flag.  Bummer.