Upgrade your Internet Experience
Microsoft.com
Welcome Sign in
Microsoft Developer Network
Click to Rate and Give Feedback
MSDN
MSDN Library
Directory Services
Directories
Attributes
All Attributes
 User-Account-Control Attribute

  Switch on low bandwidth view
User-Account-Control Attribute

Flags that control the behavior of the user account.

CNUser-Account-Control
Ldap-Display-NameuserAccountControl
Size4 bytes.
Update PrivilegeThis value is set by the system.
Update FrequencyEach time the account policy changes.
Attribute-Id1.2.840.113556.1.4.8
System-Id-Guidbf967a68-0de6-11d0-a285-00aa003049e2
SyntaxEnumeration

Implementations

Windows 2000 Server

Link-Id-
MAPI-Id-
System-OnlyFalse
Is-Single-ValuedTrue
Is IndexedTrue
In Global CatalogTrue
NT-Security-DescriptorO:BAG:BAD:S:
Range-Lower-
Range-Upper-
Search-Flags0x00000019
System-Flags0x00000012
Classes used inUser

Windows Server 2003

Link-Id-
MAPI-Id-
System-OnlyFalse
Is-Single-ValuedTrue
Is IndexedTrue
In Global CatalogTrue
NT-Security-DescriptorO:BAG:BAD:S:
Range-Lower-
Range-Upper-
Search-Flags0x00000019
System-Flags0x00000012
Classes used inUser

Windows Server 2003 R2

Link-Id-
MAPI-Id-
System-OnlyFalse
Is-Single-ValuedTrue
Is IndexedTrue
In Global CatalogTrue
NT-Security-DescriptorO:BAG:BAD:S:
Range-Lower-
Range-Upper-
Search-Flags0x00000019
System-Flags0x00000012
Classes used inUser

Windows Server 2008

Link-Id-
MAPI-Id-
System-OnlyFalse
Is-Single-ValuedTrue
Is IndexedTrue
In Global CatalogTrue
NT-Security-DescriptorO:BAG:BAD:S:
Range-Lower-
Range-Upper-
Search-Flags0x00000019
System-Flags0x00000012
Classes used inUser

Remarks

This attribute value can be zero or a combination of one or more of the following values.

Hexadecimal valueIdentifier (defined in iads.h)Description
0x00000001ADS_UF_SCRIPTThe logon script is executed.
0x00000002ADS_UF_ACCOUNTDISABLEThe user account is disabled.
0x00000008ADS_UF_HOMEDIR_REQUIREDThe home directory is required.
0x00000010ADS_UF_LOCKOUTThe account is currently locked out.
0x00000020ADS_UF_PASSWD_NOTREQDNo password is required.
0x00000040ADS_UF_PASSWD_CANT_CHANGEThe user cannot change the password.

Note  You cannot assign the permission settings of PASSWD_CANT_CHANGE by directly modifying the UserAccountControl attribute. For more information and a code example that shows how to prevent a user from changing the password, see User Cannot Change Password.

:
0x00000080ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWEDThe user can send an encrypted password.
0x00000100ADS_UF_TEMP_DUPLICATE_ACCOUNTThis is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. Also known as a local user account.
0x00000200ADS_UF_NORMAL_ACCOUNTThis is a default account type that represents a typical user.
0x00000800ADS_UF_INTERDOMAIN_TRUST_ACCOUNTThis is a permit to trust account for a system domain that trusts other domains.
0x00001000ADS_UF_WORKSTATION_TRUST_ACCOUNTThis is a computer account for a computer that is a member of this domain.
0x00002000ADS_UF_SERVER_TRUST_ACCOUNTThis is a computer account for a system backup domain controller that is a member of this domain.
0x00004000N/ANot used.
0x00008000N/ANot used.
0x00010000ADS_UF_DONT_EXPIRE_PASSWDThe password for this account will never expire.
0x00020000ADS_UF_MNS_LOGON_ACCOUNTThis is an MNS logon account.
0x00040000ADS_UF_SMARTCARD_REQUIREDThe user must log on using a smart card.
0x00080000ADS_UF_TRUSTED_FOR_DELEGATIONThe service account (user or computer account), under which a service runs, is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service.
0x00100000ADS_UF_NOT_DELEGATEDThe security context of the user will not be delegated to a service even if the service account is set as trusted for Kerberos delegation.
0x00200000ADS_UF_USE_DES_KEY_ONLYRestrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
0x00400000ADS_UF_DONT_REQUIRE_PREAUTHThis account does not require Kerberos pre-authentication for logon.
0x00800000ADS_UF_PASSWORD_EXPIREDThe user password has expired. This flag is created by the system using data from the Pwd-Last-Set attribute and the domain policy.
0x01000000ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATIONThe account is enabled for delegation. This is a security-sensitive setting; accounts with this option enabled should be strictly controlled. This setting enables a service running under the account to assume a client identity and authenticate as that user to other remote servers on the network.

 

Send comments about this topic to Microsoft

Build date: 7/7/2009

Tags What's this?: Add a tag
Community Content   What is Community Content?
Add new content RSS  Annotations
RODC Flags      Matheesha   |   Edit   |   Show History
0x04000000 appears to be PARTIAL_SECRETS_ACCOUNT. Here is the output from ldp for useraccountcontrol of an RODC.

userAccountControl: 0x5001000 = ( WORKSTATION_TRUST_ACCOUNT | TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION | PARTIAL_SECRETS_ACCOUNT );
Example how to query flags via LDAP      pwust   |   Edit   |   Show History

If you put this into your LDAP query string, you can check against single flag bits of this value:

  

  
(&(-other-ldap-query-items-)(userAccountControl:1.2.840.113556.1.4.803:=65536))

Convert the flag bit to be queried into its decimal value (e.g., ADS_UF_DONT_EXPIRE_PASSWD is 0x10000, which is 65536 in decimal). The expression evaluates TRUE if the flag is set. You can combine any flags by adding more expressions like that and can even test for "flag cleared" by putting (!...) around the expression (i.e. negation).

© 2009 Microsoft Corporation. All rights reserved. Terms of Use  |  Trademarks  |  Privacy Statement
Page view tracker