Accounts are created in multiple steps by most tools. The account is created as
disabled and then the password is set and the account is enabled. I am pretty
confident that is how ADUC does it as well but haven't looked in a while.
You can determine this by looking at the replication metadata of the object with
repadmin /showmeta object_DN
You should note that some of the attributes were set at a different time with a
different USN stamp (exclude the CN, it always shows different because of
implementation). If it shows the same USN for everything but USN, then the
account was created enabled and with a password. If the password fields and
useraccountcontrol have different values, that is exactly what happened. Plus
useraccountcontrol should be at version 2.
So that being the case, the initial create replicates and then the update
replicates in the next replication period. Change notification on K3 was
seriously increased in speed to get changes around a site faster. With 2K the
replication period was 5 minutes between servers. Now it is something like 15
seconds.
joe
