Active Directory Is Friggin' Clueless

We have been fighting for a couple weeks now with a strange issue where some people randomly wouldn't be found in Active Directory when our password change utility would try to change their AD password (along with their other passwords). We finally found a good "test-case" user and started really trying to hack out "why they couldn't reset their password". After figuring out that AD has the username stored in two places (cn, which is case-sensitive for searches, and name which isn't), we thought we had it licked.

But, it turns out we were still bombing on trying to fix this user's password-sync issue. What could it be? So we craft the LDAP query manually against the AD server and find, lo and behold, two records for her in Active Directory. How can that possibly be? I mean, we do the check for (objectClass=person) to ensure that we're only looking at people, and you can't have the same username assigned twice in the tree, so what the heck is going on?

Oh.... the annoyance... from one of the entries...

objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user

Yup, that looks about right, from the other, though....

objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer

WTF?!!? How the hell is it both "a computer" and "a person"?? I was pleased to learn that the code I'd written had Done The Right Thing to sanity-check the number of results was exactly "1", because this was friggin crazy.

So now, I've had to add another clause to the LDAP search criteria specifically excluding persons who are also computers. If positronic lifeforms ever start working or attending Vassar, I'm going to be a little screwed, but somehow I think that's a safe bet for now.

I hate Microsoft. I hope they're the first against the wall when the revolution comes.