We have a single mixed-mode AD domain. Administrators have noticed that sometimes the
same user property is reported differently by AD Users & Computers than by the old NT4
User Manager for Domains. For example, User Manager would show the item "UserMust
Change Password at Next Logon" to be checked, but AD Users & Computers would show it
as cleared.
At first I thought it was just that they were looking at different replicas that were
not in sync, but that does not seem to be the case.
In my lab, I have a small domain with 2 DCs. It has not yet been switched to Native
Mode, but it has no BDCs. I found that some accounts in that domain exhibit the
behavior described above. AD Users & Computers, when pointed at either DC, shows the
item as cleared, but User Manager for Domains on a NT4 Workstation in that domain
shows it checked.
I found several sample scripts on the web to check the status of that property. I
used the following:
dim strdomain
dim struser
strdomain = "mylabdomain"
struser = "testusername"
Dim User
Set User = GetObject("WinNT://" & strDomain & "/" & strUser & ",user")
wscript.echo User.Get("PasswordExpired")
It returned a value of 1, which is supposed to equate to "User Must Change Password at
Next Logon" being checked. Still, the MMC tools show it as cleared.
Can anybody tell me which one to believe ? My admins tell me they occasionally see
similar behavior with account lockouts, i.e., they unlock a user's account using AD
Users & Computers, but the user can't log in til they do the same in User Manager for
Domains. Needless to say, this does not engender a lot of trust in the new tools on
the part of these admins.
Thanks in advance,
Dave
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
