I've setup a script that scan non-disabled user base, base query:
(&(objectClass=user)(!(objectClass=computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
and for every user i check the 'last password change' data value, doing
some thing (eg, disabling it ;-) if it is too far.
I've found that my script get also some 'dns-*' account; looking at
data i've found that the account associated with the DC with FSMO roles
(and the dc where i've firstly deployed the domain) have:
isCriticalSystemObject: TRUE
while all the other DC NO, so the query:
(&(objectClass=user)(!(objectClass=computer))(!(isCriticalSystemObject=TRUE))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
work as expected, but filter out only the dns-* account of the FSMO
roles DC, not the other DC.
Googling a bit seems that this attribute it is safer NOT to be changed.
Supposing that disabling the dns-* account it is not a so good idea,
how can i filter that account? Only by 'dns-*' name?
Thanks.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia''
http://www.lanostrafamiglia.it/
Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
On Tue, 18 Dec 2018 19:13:16 +0100 Marco Gaiarin via samba <samba at lists.samba.org> wrote:> > I've setup a script that scan non-disabled user base, base query: > > (&(objectClass=user)(!(objectClass=computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2))) > > and for every user i check the 'last password change' data value, > doing some thing (eg, disabling it ;-) if it is too far. > > I've found that my script get also some 'dns-*' account; looking at > data i've found that the account associated with the DC with FSMO > roles (and the dc where i've firstly deployed the domain) have: > > isCriticalSystemObject: TRUENot sure where that came from, both my dns-* users do not have that line> > while all the other DC NO, so the query: > > (&(objectClass=user)(!(objectClass=computer))(!(isCriticalSystemObject=TRUE))(!(userAccountControl:1.2.840.113556.1.4.803:=2))) > > work as expected, but filter out only the dns-* account of the FSMO > roles DC, not the other DC. > > > Googling a bit seems that this attribute it is safer NOT to be > changed. > > > Supposing that disabling the dns-* account it is not a so good idea, > how can i filter that account? Only by 'dns-*' name?No, it wouldn't be good idea to disable them, not if you want BIND9_DLZ to work. You do not say what language you have written the script in (Bash, Python, etc), but couldn't you add something like this (for bash): if [ username starts with 'dns-' ]; then goto next user fi Or whatever the script language uses. Rowland
On Tue, 2018-12-18 at 18:50 +0000, Rowland Penny via samba wrote:> On Tue, 18 Dec 2018 19:13:16 +0100 > Marco Gaiarin via samba <samba at lists.samba.org> wrote: > > > > > > > I've setup a script that scan non-disabled user base, base query: > > > > (&(objectClass=user)(!(objectClass=computer))(!(userAccountCont > > rol:1.2.840.113556.1.4.803:=2))) > > > > and for every user i check the 'last password change' data value, > > doing some thing (eg, disabling it ;-) if it is too far. > > > > I've found that my script get also some 'dns-*' account; looking at > > data i've found that the account associated with the DC with FSMO > > roles (and the dc where i've firstly deployed the domain) have: > > > > isCriticalSystemObject: TRUE > Not sure where that came from, both my dns-* users do not have that > lineWe probably should add it however. ;-)> > > > > > while all the other DC NO, so the query: > > > > (&(objectClass=user)(!(objectClass=computer))(!(isCriticalSyste > > mObject=TRUE))(!(userAccountControl:1.2.840.113556.1.4.803:=2))) > > > > work as expected, but filter out only the dns-* account of the FSMO > > roles DC, not the other DC. > > > > > > Googling a bit seems that this attribute it is safer NOT to be > > changed. > > > > > > Supposing that disabling the dns-* account it is not a so good > > idea, > > how can i filter that account? Only by 'dns-*' name? > No, it wouldn't be good idea to disable them, not if you want > BIND9_DLZ to work.Yeah. For the list, this account is part of a small attempt to provide some measure of privilege separation between BIND9 and the rest of Samba's AD DC. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba