ERPM is not Displaying All Expected Accounts

[Chris]

ERPM is not Displaying All Expected Accounts

Date: November 18, 2011
Rev: 2.0

Problem

[Enterprise] Random Password Manager is not displaying all expected accounts. Accounts such as Administrator may not be visible until the filter options are changed.

Background

[Enterprise] Random Password Manager's account store view filters certain accounts out by default such as:

• Accounts marked as can't change password
• Accounts marked as password not required

In versions of [Enterprise] Random Password Manager prior to version 4.83.0, there were no display filter options to control this behavior. For version 4.83.0, display filter options were added to the management console to control the display of these accounts in the Windows Accounts View and the Accounts Store View.

If using a version of ERPM or RPM prior to version 4.83.0, read on. if using a version of ERPM or RPM that is version 4.83.0, go to the section, Version 4.83.0 Display Options.

How it Works

For accounts in Active Directory, only certain flags are visible in the user interface which can lead to problems diagnosing why certain accounts get filtered out of the view when the filters are left turned on.

To properly determine all of the account flags for an Active Directory account, the UserAccountControl value must be properly decoded.

The UserAccountControl value is visible when using ADSI Edit (included with 2008 & 2008 R2; 2003 and 2000 must download the support tools). The UserAccountControl values (math required) are listed here: How to use the UserAccountControl flags to manipulate user account properties.

CAUTION! Using ADSI Editor or LDP or similar tools can lead to unwanted consequences. Be beyond careful when using these or similar tools.

Using the decoder table from the Microsoft website and examing the default administrator account we can begin to interperet these user account control strings. For example:

• A normal user account without any flags will simply have a UserAccountControl value of 512
• A normal user account that is disabled will have a UserAccountControlValue of 514 or (512 + 2)
• A normal user account who has the password not required will have a value of 544 (512 + 32)

In the screenshots that follow, the built in administrator has a UserAccountControlValue of 66056.

First, using ADSI, expand the domain partition, then your domain, then find the contrainer which contains the object to examine. I this example, the domain is "dc=lsc,dc=ent", the container is "CN=users" and the object is "CN=Administrator".

We scan through the properties of cn=Adminsitrator to find the UserAccountControl value of 66056. Using the Microsoft decoder, we find these values are (65536 + 512 + 8) or "DONT_EXPIRE_PASSWORD" + "NORMAL_ACCOUNT" + "HOMEDIR_REQUIRED".

When looking at the user proeprties, the only visible flag is the password never expires flag:

Compare this to user "tom". The only visible flag set on his user account is that his account is disabled

However, when looking at the ADSI properties for this account, a different story unfolds:

Notice the UserAccountControl of 546 (512 + 32 + 2) or ("NORMAL_ACCOUNT" + "PASSWORD_NOT_REQUIRED" + "ACCOUNTDISABLE")

With the TOM account configured like this, TOM would not be displayed in the accounts views until all filters were disabled.

Version 4.83.0 Display Options

In version 4.83.0, display option control settings were added to display or hide certain types of accounts. To set these display options, go to View | Display Options. In the top-right corner, two options will be selected by default:

• Accounts marked as can't change password
• Accounts marked as password not required

Clear both of these options.

Applies To:

Enterprise Random Password Manager (ERPM)
Random Password Manager (RPM)