How to set additional user properties in Window 2000 with MMS (275177)

MORE INFORMATION

If you select the user account option check boxes in the user properties, numerical values are assigned to the userAccountControl attribute. The exact value that is assigned to the attribute tells the system which options have been enabled.

For documentation about the userAccountControl attribute and the possible settings for the attribute, visit the following MSDN Web site:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/adsi/ads_user_flag_enum.asp

For account options that are not supported in the MMS User Interface, you can edit the account creation template for the MA to set the desired values in the userAccountControl attribute:

Select the Active Directory MA where you would like to set additional controls.
In the Action panel, click Design MA.
On the Control Connected Directory tab, click the Output Construction Templates tab, and then click CD Accounts from Connectors, which would be the Crt.st file in the Zoomserv\Data\Dsgates\Ad folder.
Insert the following line in the desired location where you will be assigning this value for user account creation:
```
   $cd.userAccountControl = X
						
```
Note To determine the numerical value of X, refer to the following section in this article.

A suggested placement of this line is under the #Attribute Assignment heading in the user specific area of the template where other attributes, such as given name, surname, and telephone number, are assigned.

To determine the userAccountControl (X) value

To determine the value for userAccountConrol, set all the desired option flags for a user by checking the boxes that are associated with the options.

Next, by using a tool such as Ldp.exe or Adsiedit, look at that user's userAccountControl attribute. You can find either tool in Windows 2000 Support Tools.

To set values in Active Directory Users and Computers

In Active Directory Users and Computers, create a test user account that is called TestAccount, or use an existing account.
Double-click the user account to view the properties.
On the Account tab, in the Account Options section of the form, select all of the values that you want to assign to the users that you will create in the Active Directory MA.
Click OK to close the dialog box.

To use the Adsiedit tool to obtain the UserAccountControl value

Run Adsiedit.exe:
- If you did not install Support Tools on your computer, run Adsiedit.exe from the Support\Reskit\Netmgmt\Dstool folder on the retail version of the Windows 2000 CD-ROM.
- If you did install Support Tools on your computer, click Start, click Programs, click Windows 2000 Support Tools, click Tools, and then click ADSI Edit.
Click the Domain container, such as DC=company,DC=com.
Click the container, such as Users, or the Organizational Unit (OU) in which the test user resides.
Right-click the test user account, and then click Properties.
In the Select which properties to view box, click Optional.
In the Select a property to View box, click userAccountControl.
Write down the number that is in the Value(s) box. For example, if the value is 524832, this implies that the User must change password at next logon and Account is trusted for Delegation check boxes were selected.
After you determine the desired numerical value, change the X in the MA template to that value.
In a test environment, verify that the correct options are set when the MA runs.

Warning When you set this value in the template, this overrides the default configuration of the MA in the Active Directory Object Creation Settings of the Active Directory MA.

It is important to ensure that the numerical value that is being passed to the userAccountControl attribute reflects the exact settings that you want to use for the user.

Updating of the userAccountControl attribute on an Active Directory user object can unintentionally reset user attributes, such as the following attributes: