000014579 - AxM - Working with native Active Directory attributes

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000014579
Applies ToAccess Manager 6.0.x
ClearTrust 5.5.3
2003 Server SP2
ctscUserAuxClass not in schema (default for AD)
IssueAxM - Working with native Active Directory attributes
Customers cannot read or manipulate password expiration and lockout state and other user attributes with Access Manager/ClearTrust.

Most information on an AD user was kept in the userAccountControl Attribute. In a Windows Server 2003-based domain, LOCK_OUT and PASSWORD_EXPIRED have been replaced with a new attribute called ms-DS-User-Account-Control-Computed. Since msDS-User-Account-Control-Computed is a constructed attribute, it cannot be used in an LDAP search filter or written to.

Trying to set or retrieve the users PasswordExpirationDate as a property is difficult since the attribute is not part of the user object. It is a calculated value based on the sum of pwdLastSet for the user and maxPwdAge of the user's domain. You cannot modify this attribute for a user.

 The badPwdCount attributed is another difficult atribute to obtain. This attribute is maintained separately on each domain controller in the domain. A value of 0 indicates that the value is unknown. To get an accurate value for the user's total bad password attempts in the domain, each domain controller in the domain must be queried and the sum of the values should be used.

NotesReference: User Security Attributes  -  http://msdn.microsoft.com/en-us/library/ms677943.aspx , http://support.microsoft.com/kb/305144 , http://msdn.microsoft.com/en-us/library/ms677840.aspx
Legacy Article IDa43725