We have a single mixed-mode AD domain. Administrators have noticed that sometimes the same user property is reported differently by AD Users & Computers than by the old NT4 User Manager for Domains. For example, User Manager would show the item "UserMust Change Password at Next Logon" to be checked, but AD Users & Computers would show it as cleared.
At first I thought it was just that they were looking at different replicas that were not in sync, but that does not seem to be the case. In my lab, I have a small domain with 2 DCs. It has not yet been switched to Native Mode, but it has no BDCs. I found that some accounts in that domain exhibit the behavior described above. AD Users & Computers, when pointed at either DC, shows the item as cleared, but User Manager for Domains on a NT4 Workstation in that domain shows it checked. I found several sample scripts on the web to check the status of that property. I used the following: dim strdomain dim struser strdomain = "mylabdomain" struser = "testusername" Dim User Set User = GetObject("WinNT://" & strDomain & "/" & strUser & ",user") wscript.echo User.Get("PasswordExpired") It returned a value of 1, which is supposed to equate to "User Must Change Password at Next Logon" being checked. Still, the MMC tools show it as cleared. Can anybody tell me which one to believe ? My admins tell me they occasionally see similar behavior with account lockouts, i.e., they unlock a user's account using AD Users & Computers, but the user can't log in til they do the same in User Manager for Domains. Needless to say, this does not engender a lot of trust in the new tools on the part of these admins. Thanks in advance, Dave List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/