I received an email with a script to clear the pwd_not_reqd flag that the author said he meant to post as a comment but couldn’t (old posts don’t allow comments anymore to slow down on spam). The post was http://blog.joeware.net/2006/06/29/431/
Fortunately, you don’t need a script to do this, it is a one liner with adfind/admod (all one line).
adfind -default -bit -f "&(objectcategory=computer)(useraccountcontrol:AND:=32)" useraccountcontrol -adcsv | admod -sc uacclear:PASSWD_NOTREQD –unsafe
Here it is in action…
[Wed 09/09/2009 18:36:06.30]
G:\new1\Dev\CPP\ExchMbx>adfind -default -bit -f "&(objectcategory=computer)(useraccountcontrol:AND:=32)" useraccountcontrol -adcsv | admod -sc uacclear:PASSWD_NOTREQD -unsafeAdMod V01.11.00cpp ##BETA## Joe Richards (joe@joeware.net) June 2007
DN Count: 8
Using server: r2dc1.test.loc:389
Directory: Windows Server 2003Modifying specified objects…
DN: CN=testcmp,CN=Computers,DC=test,DC=loc…
DN: CN=testdc,CN=Users,DC=test,DC=loc…
DN: CN=FakeServer1,CN=Computers,DC=test,DC=loc…
DN: CN=FakeServer2,CN=Computers,DC=test,DC=loc…
DN: CN=FakeServer3,CN=Computers,DC=test,DC=loc…
DN: CN=FakeServer10,CN=Computers,DC=test,DC=loc…
DN: CN=FakeServer11,CN=Computers,DC=test,DC=loc…
DN: CN=FakeServer12,CN=Computers,DC=test,DC=loc…The command completed successfully
Hey Joe,
That was me!!! Thanks for getting back to me.
Steve
When we create new computers, we always pre-stage our computers. Is there a way to get it so that the PASSWD_NOTREQD flag is set properly or is this just something we should run occassionally in our domain?
I haven’t looked in a while, but that flag was being set due to a bug in ADUC that I reported years ago. Try to create a machine account with the version of ADUC you use, if it is set, then you know the bug is still there. NETDOM doesn’t do it and of course if you are scripting it, it is up to your script on whether or not it does it.