|Applies To||Access Manager 6.0.x|
2003 Server SP2
ctscUserAuxClass not in schema (default for AD)
|Issue||AxM - Working with native Active Directory attributes|
Customers cannot read or manipulate password expiration and lockout state and other user attributes with Access Manager/ClearTrust.
Most information on an AD user was kept in the userAccountControl Attribute. In a Windows Server 2003-based domain, LOCK_OUT and PASSWORD_EXPIRED have been replaced with a new attribute called ms-DS-User-Account-Control-Computed. Since msDS-User-Account-Control-Computed is a constructed attribute, it cannot be used in an LDAP search filter or written to.
Trying to set or retrieve the users PasswordExpirationDate as a property is difficult since the attribute is not part of the user object. It is a calculated value based on the sum of pwdLastSet for the user and maxPwdAge of the user's domain. You cannot modify this attribute for a user.
The badPwdCount attributed is another difficult atribute to obtain. This attribute is maintained separately on each domain controller in the domain. A value of 0 indicates that the value is unknown. To get an accurate value for the user's total bad password attempts in the domain, each domain controller in the domain must be queried and the sum of the values should be used.
|Notes||Reference: User Security Attributes - http://msdn.microsoft.com/en-us/library/ms677943.aspx , http://support.microsoft.com/kb/305144 , http://msdn.microsoft.com/en-us/library/ms677840.aspx|
|Legacy Article ID||a43725|