Upgrade to 7.0.1 now AD users missing

[lschafroth]

After the 7.0.1 upgrade, my Policy Manager only sees about 30 AD accounts. My server has 2038 accounts.

How can I fix this? This is a BIG problem.

With 6.2 it saw ALL the accounts even though they were not sorted. Now it barely sees any at all.

Lannie

[Coldfirex]

Are those 30 accounts that you can see maybe in a certain Group that the rest arent in? Not sure really. Reboot?

[lschafroth]

Some are older accounts that have been on the ad server for a long time, some are just added accounts. No ryme or reason. They all belong to the same group.

Lannie

[lschafroth]

I compared the ones that show and they have nothing different about them. They all showed in 6.2 and dont show in 7.0.1. I have 2199 accounts. 48 show.

Lannie

[mrunkel]

We should be selecting any normal user accounts with any combination of the following set:

Script enabled or not
Home directory set or not
Password Not Required set or not
Password can't change set or not
Password doesn't expire set or not

Any other option set will result in the account not being selected.

http://support.microsoft.com/default.aspx/kb/305144

I would check that list and see what it is that's different between the accounts that are selecting and those that aren't.

If it's something we can fix, we'll do it.

[lschafroth]

As I said before, nothing has changed on my accounts but going from 6.2 to 7.0.1.

I have compared an account that does show and one that does not and they are set EXACTLY the same. Every tab, every option on every tab.

They are all in the same group. They all have password never expires. None of them have a home directory since they are all just there for AD since it doesnt support LDAP.

What changed so drastically from 6.2 to 7.0.1 and how do I log it or troubleshoot it?

It's definetly something that changed in UT.

LAnnie

[n9lf]

mrunkel wrote:

We should be selecting any normal user accounts with any combination of the following set:

Script enabled or not
Home directory set or not
Password Not Required set or not
Password can't change set or not
Password doesn't expire set or not

These last two options (can't change & doesn't expire) present real problems. Is there any way to change the criteria?

Tim

[mrunkel]

Tim, it accepts accounts with that parameter set or not. Why is that an issue?

[mrunkel]

Ok, so after working with Lannie, we discovered the issue and in interest of anyone coming upon this in the future, I want to record the solution.

The accounts that weren't selecting had "PASSWD_NOTREQD" set. This causes us to not select that account type.

This is a "hidden" field that must be set programmatically or from the command line.

If accounts don't have passwords, they aren't very effective at identifying users, that's why we don't accept them.

I've filed (and closed) a bug #7052 on this issue. If anyone has a need for this to be enabled, please go there and comment on the bug.

[lschafroth]

Password Not Required set or not

Thanks to the awesome tech support, we have this resolved and quickly I might add.

The option Password Required has to be set to YES. It is worded differently than what mrunkel listed above but apparently my import script from our LDAP servers did not set this bit.

I exported all my AD accounts from AD. Added them to a spreadsheet and added the full command line before and after the names and saved that to a BAT file and it worked like a charm for all 2199 accounts.

The command is:

net user username /passwordreq:yes

This can only be done from the CMD prompt.

Thanks Support & mkrunkel for being in the right direction. It would not show in the GUI properties section of the MMC so thats why I could not find a correlation to the bad accounts and good accounts.

Lannie