AD Recycle Bin and the conspicuously cloned user accounts conundrum

Microsoft Windows Server 2008 R2 Operating System

AD Users & Computers has a relatively unknown functionality that is exposed when you create a new user and the password that you enter doesn’t meet the password complexity requirements as defined for the domain.

When you press the Finish button on the last screen of the ‘Create new user’ wizard, ADUC creates the user and then attempts to set the password on it to the value that you entered.

If the DC that it talks to doesn’t accept that password then ADUC immediately deletes the user account and you get notified that the password doesn’t meet the complexity requirements and get to enter a new one.

This in turn means that if it takes you a few attempts to figure out a sufficiently strong password that meets the password complexity rules in the domain… then you’ll have created as many accounts as your failed attempts with identical samAccountName and userPrincipalname attributes. 

Each of those users will have its own unique objectSid attribute though (as the Sid’s are consumed from the Rid pool when the user is created and can’t be reused) and the whenCreated attribute of them will be different.

The net effect of this is that when you turn on AD Recycle Bin you’re going to see all of those accounts that ADUC created for you – now you know why.

I.e. it’s not a bug – it’s a feature ;-)