Populate userAccountControl with a non-domain member iqs

Hi my friends. I have the requirement of create AD users with the Password Never Expires flag. I tried filling value with 66048, 0x100200, but it creates user with 512 value.

I tried to use the powershell after create rule, using command

Set-ADUser -Identity $sAMAccountName -PasswordNeverExpires $true

this worked fine in my demo tenant. as I have AD and IQS on the same machine.

Problem is in client architecture, because they have IQS installed on a non-domain server, and IQS runs with a local administrator. In this case, rule does not work.

Is there some way to run this command remotely? I am trying creating a remote ps session but without luck yet.

Hi @jsosa,

I have been able to create AD accounts by passing UAC value 66048 in the account creation policy. May be you want to troubleshoot why it doesn’t work for you before taking the next step.

Thanks @jesvin90 will try on other environment, and come back soon.

@jesvin90 are you sending the userAccountControl value as 66048 directly or exa 0x10200?

Worked correctly in my demo environment (ad with iqs in domain member server). This is the only difference between client tenant and mine, so perhaps this is not working because iqs is not in windows server.

We have decided to move iqs from the non-domain member machine to other windows server inside domain.

I was checking also the possibility of launching an after creation rule command

Set-ADUser -Identity $sAMAccountName -PasswordNeverExpires $true

in conjuntion with New-PSSession, if I get some time to test it will come with results.

We added IQService server to domain, and worked.