Incorrect userAccountControl Attribute value causes error in DCDIAG

Monday, December 15, 2008
When you run DCDIAG for a domain controller your may see the following error reported:

Starting test: MachineAccount
Checking machine account for DC MYDC01 on DC MYDC01.
Warning: Attribute userAccountControl of MYDC01 is: 0x82020 = ( UF_PASSWD_NOTREQD , UF_SERVER_TRUST_ACCOUNT , UF_TRUSTED_FOR_DELEGATION )
Typical setting for a DC is 0x82000 = ( UF_SERVER_TRUST_ACCOUNT , UF_TRUSTED_FOR_DELEGATION )
This may be affecting replication?
......................... MYDC01 passed test MachineAccount

This typically occurs when the computer account was pre-staged in Active Directory before the computer was joined to the domain. It also may occur if you use the Active Directory Migration Tool (ADMT) to migrate to a new domain. When you do this, the 0x20 attribute is assigned to the UserAccountControl attribute, indicating that the computer account does not require password changes. It really doesn't matter, as Windows will use a password (and change it every 30 days) regardless of this setting.

The error is still annoying, so here's how to fix it:
  • Open ADSIEdit.MSC (install the Support Tools if ADSIEdit is not installed)
  • Connect to the Domain naming context
  • Expand the domain and navigate to the Domain Controllers container
  • Select the problem Domain Controller
  • Right-click the Domain Controller and select Properties
  • Scroll to the userAccountControl attribute and click the Edit button
  • Change the decimal value to 532480 (0x82000 hex)
  • Click Ok twice and close ADSIEdit

Wait for the change to replicate and re-run DCDIAG to confirm the error has cleared.