Disabled User Accounts Appear Incorrectly in the Object Picker Dialog Box and the Active Directory Users and Computers Snap-in

You may experience the following problems when you view disabled user accounts against Windows Server 2003 domains:

• If you click Advanced on the Select Users, Computers, Or Groups dialog box (this dialog box is also known as the Object Picker dialog box), click to select the Disabled (user) accounts check box, and then perform a query, disabled user account items are not returned even though they may exist in the specified location.
• When you click to clear the Disabled (user) accounts check box, and then perform a query, the user account items that are returned by the query may include disabled user accounts that appear to be enabled.
• If you start Active Directory Users and Computers snap-in (Dsa.msc), and then select a container that has users, disabled user accounts that are listed in the details pane appear as if they are enabled.
• If you start the Active Directory Users and Computers snap-in, and then click Find on the Common Queries menu of a container, disabled account items are not returned in a query even though they may exist in the specified location.

You do not experience these symptoms if the following conditions are true:

• You are using an Administrator account.
• You are a member of the Authenticated Users group and the Pre-Windows 2000 compatible permissions option was not selected during Active Directory installation (by default, this option is not selected during installation).
• You are a member of the Authenticated Users group and the Pre-Windows 2000 Compatible Access group does not include the Everyone group as a member.

In these scenarios, only members of the following groups see the correct query results:

• Domain Administrators
• Account Operators
• RAS Servers group
• Built-in Administrators
• Enterprise Administrators

By default, users who are not members of these groups can correctly view their own user accounts and any user accounts they create.

When a new user object is created in Active Directory, the default security descriptor that is defined in the schema for the user object class is set as the object's security descriptor unless otherwise specified. Additionally, the User object inherits any inheritable permissions from its parent.

Based on default security descriptor and inherited permissions, only members of the following groups that are described in the "Summary" section of this article have Read access to the userAccountControl attribute of newly created users in Active Directory. Additionally, the creator of the new user account and the user to whom the account belongs has Read access to the userAccountControl attribute of newly created users in Active Directory.

Both the Advanced dialog box in Object Picker and the Active Directory Users and Computers snap-in use the userAccountControl attribute to determine if a user account is disabled. When a user who is accessing Object Picker or the Active Directory Users and Computers snap-in does not have Read access to the userAccountControl attribute, the disabled status of user accounts cannot be determined and disabled user accounts appear as if they are enabled.

To resolve this problem, the administrator must grant you Read access to the UserAccountControl attribute on user objects in the domain, the organizational unit, or the specific user account.

If you are an administrator, you can use any of the following methods to assign Read access to the UserAccountControl attribute.

Method 1: Use DSACLS to Enable Read-Only Access at the Root of the Domain

1. Install the DSACLS utility from the Support\Tools folder on the Windows Server 2003 media.
2. Click Start, click Run, type cmd, and then click OK.
3. Type the following command, and then press ENTER:dsacls "ds=domain,ds=com" /i:s /g "domain users":rp;useraccountcontrol;user

Method 2: Use the DSACLS Utility to Grant Read-Only Access on a Specific Organizational Unit

1. Install the DSACLS utility from the Support\Tools folder on the Windows Server 2003 media
2. Click Start, click Run, type cmd, and then click OK.
3. Type the following command, and then press ENTER:dsacls "ou=admin specified organizational_unit,DC=domain,dc==com" /i:s /g "domain users":rp;useraccountcontrol;user

Method 3: Use ACL Editor to Define Permissions on the Domain Root, the Organizational Unit, or the User Objects

1. Click Start, click Run, type dsa.msc, and then click OK.
2. On the View menu, click Advanced Features.
3. Right-click the domain node, the organizational unit, or the user account that you want to change, and then click Properties.
4. Click the Security tab, click Advanced, and then click Add.
5. Enter the name of the users or the groups to which you want to grant Read access to the UserAccountControl attribute, and then click OK.
6. In the Permissions Entry dialog box, click the Properties tab.
7. In the Apply onto box, click User Objects.
8. Under Permissions, click to select the check box in the Allow column for Read userAccountControl permissions.
9. Click OK.

Method 4: Use the Delegation Wizard to Grant Read-Only Access on the Domain Head Or on a Specified Organizational Unit

1. Make a backup copy of the %SystemRoot%\Inf\Delegwiz.inf file (for example, COPY %SYSTEMROOT%\INF\DELEGWIZ.INF.ORIG).
2. Copy the following text to the Windows clipboard:

   ;---------------------------------------------------------
   [templateXX]
   AppliesToClasses=domainDns,organizationalUnit
   
   Description = "Read-only access to UserAccountControl attribute for user accounts"
   
   ObjectTypes = user
   
   [templateXX.user]
   userAccountControl=RP
   ;---------------------------------------------------------
   					

3. Click Start, click Run, and then type the following command:
   notepad %systemroot%\inf\delegwiz.inf
4. Add a new numbered template to the [DelegationTemplates] section in the Delegwiz.inf file.
   
   Add a new Templatexx entry for the new delegation entry that is being added to Delegwiz.inf. When you add a new entry, type a comma (,) press SPACEBAR, and then type the Templatexx string, where xx is an increasing number that is one number higher than the last entry in the [DelegationTemplates] section. For example:

   [DelegationTemplates]
   
   Templates = template1, template2, template3, template4,
   template5, template6, template7, template8, template9,
   template10, template11, template12, template13 <-- add ",(spacebar)template14">            
   					

5. Paste the contents of the clipboard that you copied in step 2 to the last line of Delegwiz.inf.
   
   To do so, press CTRL+END to get to the end of the Delegwiz.inf file, and then paste the results of the clipboard on a new line. For example, if the last template number in the [DelegationTemplates] section of the .inf file is 13, paste your results after the [template13] section mark:

   ;---------------------------------------------------------
   [template13]
   AppliesToClasses=container
   
   Description = "Create, Delete, and Manage WMI Filters"
   
   ObjectTypes = SCOPE, msWMI-Som
   
   [template13.SCOPE]
   msWMI-Som=CC,DC
   
   [template13.msWMI-Som]
   @=GA
   ;----------------------------------------------------------           <--Add Hard Return Here
   <Paste contents of clipboard here>
   					

6. Replace the Templatexx strings with the correct versions numbers.
   
   Fix both Templatexx strings in the template section that you just pasted in with the template value that you used in the [DelegationTemplates] section that you changed in step 3 of method 3.
7. Save the file.
8. Start the Active Directory Users and Computers snap-in.
   
   To do so, click Start, click Run, type dsa.msc, and then click OK.
9. Start the Delegation Wizard.
10. Right-click the root of the domain or organizational unit, and then click Delegation Wizard.
11. Use the Delegation Wizard to grant the required users or group read-only access to the UserAccountControl attribute.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

The userAccountControl attribute is a bit mask that may contain additional information about the status of a user or computer account. If you grant Read access to the UserAccountControl attribute, users who do not have administrative rights have access to these attributes for all modified objects in the domain or forest. For more information about the UserAccountControl attribute, visit the following Microsoft Web site: For more information about the meaning of the flags in the UserAccountControl attribute, visit the following Microsoft Web site (see the "usri3_flags" section):