Export (0) Print
Expand All userAccountControl

  1. If the UF_LOCKOUT bit (section is set and the lockoutTime attribute is nonzero, the lockoutTime attribute MUST be updated to a value of zero.

  2. The following bits, if set, MUST be unset before committing the transaction: UF_LOCKOUT and UF_PASSWORD_EXPIRED.

  3. If the UF_SERVER_TRUST_ACCOUNT bit is set, all of the following constraints MUST be satisfied:

    1. The primaryGroupId attribute MUST be updated to the value DOMAIN_GROUP_RID_CONTROLLERS.

    2. If the previous primaryGroupId value is NOT DOMAIN_GROUP_RID_COMPUTERS, let G be the group whose objectSid value has the RID of the previous primaryGroupId on the current object. G's member attribute MUST be updated to add a reference to the current object if it is not already present; processing errors for this constraint MUST be ignored.

  4. If either UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION or UF_TRUSTED_FOR_DELEGATION is set, the client's token MUST be retrieved using the method described in [MS-RPCE] section The RpcImpersonationAccessToken.Privileges[] field MUST have the SE_ENABLE_DELEGATION_NAME privilege (defined in [MS-LSAD] section Otherwise, the server MUST abort processing and return STATUS_ACCESS_DENIED.

  5. If any of the following bits are set, the client MUST have the associated control access right (defined in [MS-ADTS] section on the ntSecurityDescriptor for the account domain object, per an access check. (Information about the access check mechanism is specified in [MS-ADTS] section If this constraint fails, the server MUST abort processing and return STATUS_ACCESS_DENIED.


    Required control access right









  6. If the UF_SMARTCARD_REQUIRED bit is set and is NOT present in the previous value, the dBCSPwd and unicodePwd attributes MUST be updated with 16 bytes of random bytes, and the supplementalCredentials attribute MUST be removed.

  7. If the UF_PASSWD_NOTREQD bit is removed from the userAccountControl value, the server MUST abort processing and return an error status if all of the following conditions are true:

    1. userAccountControl contains UF_NORMAL_ACCOUNT.

    2. userAccountControl does not contain the UF_ACCOUNTDISABLE.

    3. The Effective-MinimumPasswordLength attribute (see section is nonzero.

  8. If none of the following bits are set, the server MUST set the UF_NORMAL_ACCOUNT bit.







For more information about the UF_SERVER_TRUST_ACCOUNT and UF_WORKSTATION_TRUST_ACCOUNT bits, see the following citation in Appendix B: Product Behavior.<27>

© 2014 Microsoft