UserAccountControl AD attribute set to 544 for some IM created accounts
search cancel

UserAccountControl AD attribute set to 544 for some IM created accounts

book

Article ID: 262092

calendar_today

Updated On: 03-16-2023

Products

CA Identity Suite

Issue/Introduction

During the vulnerability scan of the AD, some accounts were found with a blank password and  UserAccountControl AD attribute set to 544 (mix state of normal account 512 + password not required 32).

Environment

Release : 14.4

Cause

Logs show that account creation failed due to the error: Unable to set Password Reason: Unwilling To Perform].

Resolution

Since account creation is a multi-step process without rollback, this left account with a blank password, and the UserAccountControl attribute is set to  544 (mix state of normal account 512 + password not required 32).

The solution is to fix the underlying issue - in this case, password policies in IM and AD are different.

Each time there is an endpoint account creation error administrator should analyze the error and decide if the account should be removed after the underlying cause is fixed.