3.1.1.4.5.17 msDS-User-Account-Control-Computed
The msDS-User-Account-Control-Computed attribute has different behavior on AD DS and AD LDS.
Let TO be the object from which the msDS-User-Account-Control-Computed attribute is being read.
For AD DS, the following description applies.
|
0 |
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
1 0 |
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
2 0 |
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
3 0 |
1 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
P E |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
L O |
0 |
0 |
0 |
0 |
Note Bits are presented in big-endian byte order.
If the object TO is not in a domain NC, TO!msDS-User-Account-Control-Computed = 0.
If the object TO is in a domain NC, let D be the root of that NC, and let ST be the current time, read from the system clock. Then the value of TO!msDS-User-Account-Control-Computed is the preceding bit pattern, where:
-
LO (ADS_UF_LOCKOUT, 0x00000010) is set if:
-
(none of bits ADS_UF_WORKSTATION_TRUST_ACCOUNT, ADS_UF_SERVER_TRUST_ACCOUNT, ADS_UF_INTERDOMAIN_TRUST_ACCOUNT are set in TO!userAccountControl)
-
and (TO!lockoutTime is nonzero and either (1) Effective-LockoutDuration (regarded as an unsigned quantity) < 0x8000000000000000, or (2) ST + Effective-LockoutDuration (regarded as a signed quantity) ≤ TO!lockoutTime ), where Effective-LockoutDuration is defined in [MS-SAMR] section 3.1.1.5.
-
-
PE (ADS_UF_PASSWORD_EXPIRED, 0x00800000) is set if:
-
(none of bits ADS_UF_SMARTCARD_REQUIRED, ADS_UF_DONT_EXPIRE_PASSWD, ADS_UF_WORKSTATION_TRUST_ACCOUNT, ADS_UF_SERVER_TRUST_ACCOUNT, ADS_UF_INTERDOMAIN_TRUST_ACCOUNT are set in TO!userAccountControl)
-
and (TO!pwdLastSet = null, or TO!pwdLastSet = 0, or (Effective-MaximumPasswordAge ≠ 0x8000000000000000 and (ST - TO!pwdLastSet) > Effective-MaximumPasswordAge)), where Effective-MaximumPasswordAge is defined in [MS-SAMR] section 3.1.1.5.
-
For AD LDS, the following description applies.
|
0 |
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
1 0 |
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
2 0 |
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
3 0 |
1 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
P E |
0 |
0 |
0 |
0 |
0 |
0 |
D E P |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
P N R |
L O |
0 |
0 |
A D |
0 |
Note Bits are presented in big-endian byte order.
The value of TO!msDS-User-Account-Control-Computed attribute is the preceding bit pattern, where:
-
AD (ADS_UF_ACCOUNT_DISABLE, 0x00000002) is set if:
-
TO!msDS-UserAccountDisabled is true
-
-
LO (ADS_UF_LOCKOUT, 0x00000010) is set if:
-
TO!ms-DS-UserAccountAutoLocked is true
-
-
PNR (ADS_UF_PASSWD_NOTREQD, 0x00000020) is set if:
-
TO!ms-DS-UserPasswordNotRequired is true
-
-
DEP (ADS_UF_DONT_EXPIRE_PASSWD, 0x00010000) is set if:
-
TO!msDS-UserDontExpirePassword is true
-
-
PE (ADS_UF_PASSWORD_EXPIRED, 0x00800000) is set if:
-
TO!msDS-UserPasswordExpired is true
-
