Rowland Penny
2023-Aug-24 13:37 UTC
[Samba] samba-tool user disable doesn't change any object attributes?
On Thu, 24 Aug 2023 21:12:38 +0800 Reese Wang via samba <samba at lists.samba.org> wrote:> I used `samba-tool user disable testuser` to disable a user and > `samba-tool user show testuser` to display the user object and found > nothing was changed. And I can still get the user using filter > (&(objectClass=user)(sAMAccountName=testuser)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) > > Shouldn't `samba-tool user disable` change userAccountControl to 2 or > something? >Close :-) userAccountControl is sort of accumulative, a normal enabled user account will have '512' in it, but there could be a larger number set. For instance, if the users password is set to never expire it could be '65848', which is '512' plus '65336'. To disable a user you add '2' to the '512'. Try reading this: https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties Rowland
Reese Wang
2023-Aug-24 13:56 UTC
[Samba] samba-tool user disable doesn't change any object attributes?
Ah I understand the 512 + 2 thing. But the userAccountControl is still 512 after I run `samba-tool user disable` Rowland Penny via samba <samba at lists.samba.org> ?2023?8?24??? 21:38???> > On Thu, 24 Aug 2023 21:12:38 +0800 > Reese Wang via samba <samba at lists.samba.org> wrote: > > > I used `samba-tool user disable testuser` to disable a user and > > `samba-tool user show testuser` to display the user object and found > > nothing was changed. And I can still get the user using filter > > (&(objectClass=user)(sAMAccountName=testuser)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) > > > > Shouldn't `samba-tool user disable` change userAccountControl to 2 or > > something? > > > > Close :-) > > userAccountControl is sort of accumulative, a normal enabled user > account will have '512' in it, but there could be a larger number set. > For instance, if the users password is set to never expire it could be > '65848', which is '512' plus '65336'. > To disable a user you add '2' to the '512'. > > Try reading this: > > https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Apparently Analagous Threads
- samba-tool user disable doesn't change any object attributes?
- samba-tool user disable doesn't change any object attributes?
- samba-tool user disable doesn't change any object attributes?
- Users list and the date the password will expire
- samba-tool user disable doesn't change any object attributes?