Home Library Learn Downloads Support Community
Sign in | United States - English | |
This topic has not yet been rated - Rate this topic

3.1.1.8.10 userAccountControl

  1. If the UF_LOCKOUT bit (section 2.2.1.13) is set and the lockoutTime attribute is nonzero, the lockoutTime attribute MUST be updated to a value of zero.

  2. The following bits, if set, MUST be unset before committing the transaction: UF_LOCKOUT and UF_PASSWORD_EXPIRED.

  3. If the UF_SERVER_TRUST_ACCOUNT bit is set, all of the following constraints MUST be satisfied:

    1. The primaryGroupId attribute MUST be updated to the value DOMAIN_GROUP_RID_CONTROLLERS.

    2. If the previous primaryGroupId value is NOT DOMAIN_GROUP_RID_COMPUTERS, let G be the group whose objectSid value has the RID of the previous primaryGroupId on the current object. G's member attribute MUST be updated to add a reference to the current object if it is not already present; processing errors for this constraint MUST be ignored.

  4. If either UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION or UF_TRUSTED_FOR_DELEGATION is set, the client's token MUST be retrieved using the method described in [MS-RPCE] section 3.3.3.4.3. The RpcImpersonationAccessToken.Privileges[] field MUST have the SE_ENABLE_DELEGATION_NAME privilege (defined in [MS-LSAD] section 3.1.1.2.1). Otherwise, the server MUST abort processing and return STATUS_ACCESS_DENIED.

  5. If any of the following bits are set, the client MUST have the associated control access right (defined in [MS-ADTS] section 5.1.3.2.1) on the ntSecurityDescriptor for the account domain object, per an access check. (Information about the access check mechanism is specified in [MS-ADTS] section 5.1.3.3.) If this constraint fails, the server MUST abort processing and return STATUS_ACCESS_DENIED.

    userAccountControlBit

    Required control access right

    UF_PASSWD_NOTREQD

    Update-Password-Not-Required-Bit

    UF_DONT_EXPIRE_PASSWD

    Unexpire-Password

    UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED

    Enable-Per-User-Reversibly-Encrypted-Password

    UF_SERVER_TRUST_ACCOUNT

    DS-Install-Replica

  6. If the UF_SMARTCARD_REQUIRED bit is set and is NOT present in the previous value, the dBCSPwd and unicodePwd attributes MUST be updated with 16 bytes of random bytes, and the supplementalCredentials attribute MUST be removed.

  7. If the UF_PASSWD_NOTREQD bit is removed from the userAccountControl value, the server MUST abort processing and return an error status if all of the following conditions are true:

    1. userAccountControl contains UF_NORMAL_ACCOUNT.

    2. userAccountControl does not contain the UF_ACCOUNTDISABLE.

    3. The Effective-MinimumPasswordLength attribute (see section 3.1.1.5) is nonzero.

  8. If none of the following bits are set, the server MUST set the UF_NORMAL_ACCOUNT bit.

    userAccountControlBit

    UF_NORMAL_ACCOUNT

    UF_INTERDOMAIN_TRUST_ACCOUNT

    UF_WORKSTATION_TRUST_ACCOUNT

    UF_SERVER_TRUST_ACCOUNT

    UF_TEMP_DUPLICATE_ACCOUNT

For more information about the UF_SERVER_TRUST_ACCOUNT and UF_WORKSTATION_TRUST_ACCOUNT bits, see the following citation in Appendix B: Product Behavior.<27>

 
Did you find this helpful?
(1500 characters remaining)