UserAccountControl Attribute/Flag Values
Searching Active Directory attributes using DSQUERY commands or scripts is not difficult. You can acquire the values directly from the attribute. However, searching the statuses for enabled, disabled, PasswordExpired, etc., can be challenging because these properties and values are not stored in their own attributes. These account properties are controlled by an attribute called userAccountControl.
UserAccountControl is a 4 bytes (32-bit) integer that represents a bitwise enumeration of various flags—these flags control the behavior of objects. The attributeID (ruleOD) of this object is 1.2.840.113556.1.4.8. The attributeID is a unique X.500 Object Identifier(OID) for identifying an attribute.
How do I search userAccountControl values in Active Directory?
It is like searching any other attribute in Active Directory. However, you need to represent the userAccountControl values in numeric. The syntax of the LDAP matching rule is
attributename:ruleOID:=value
…where attributename is the LDAP DisplayName -in this case it is userAccountControl, ruleOID is the attributeID for the matching rule control – in this case it is 1.2.840.113556.1.4.80X, and value is the decimal value you want to use for search.
The following DSQUERY command returns all disabled user accounts in Active Directory.
dsquery * -limit 0 –filter “(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))” –attr name
userAccountControl =2 means the user account is disabled (ADS_UF_ACCOUNTDISABLE)
and the following DSQUERY command returns all users with the ‘Password Never Expires’ settings enabled.
dsquery * -limit 0 –filter “(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))” –attr name
userAccountControl =65536 means the user account has ‘Password Never Expires’ flag enabled (ADS_UF_DONT_EXPIRE_PASSWD)
———————————–
Note
The UserAccountControl =XXXXX portion will be what you look up in the attribute table (see below).
———————————–
Where did the 1.2.840.113556.1.4.803 attributeID (ruleOID) come from?
The value of attributeID (ruleOID) can be either bitwise AND (1.2.840.113556.1.4.803) or bitwise OR (1.2.840.113556.1.4.804)
1.2.840.113556.1.4.803 – This is the bitwise AND operator (LDAP_MATCHING_RULE_BIT_AND). The rule is true only if all bits from the property match the value.
1.2.840.113556.1.4.804 – This is the bitwise OR operator (LDAP_MATCHING_RULE_BIT_OR). The rule is true if any bits from the property match the value.
Attribute Table
A comprehensive list of UserAccountrControl attribute/flag values
Property Flag | Value In Hexadecimal | Value In Decimal | Not Officially Documented |
SCRIPT | 0x0001 | 1 | |
ACCOUNTDISABLE | 0x0002 | 2 | |
HOMEDIR_REQUIRED | 0x0008 | 8 | |
LOCKOUT | 0x0010 | 16 | |
PASSWD_NOTREQD | 0x0020 | 32 | |
PASSWD_CANT_CHANGE | 0x0040 | 64 | |
ENCRYPTED_TEXT_PWD_ALLOWED | 0x0080 | 128 | |
TEMP_DUPLICATE_ACCOUNT | 0x0100 | 256 | |
NORMAL_ACCOUNT | 0x0200 | 512 | |
Disabled Account | 0x0202 | 514 | x |
Enabled, Password Not Required | 0x0220 | 544 | x |
Disabled, Password Not Required | 0x0222 | 546 | x |
INTERDOMAIN_TRUST_ACCOUNT | 0x0800 | 2048 | |
WORKSTATION_TRUST_ACCOUNT | 0x1000 | 4096 | |
SERVER_TRUST_ACCOUNT | 0x2000 | 8192 | |
DONT_EXPIRE_PASSWORD | 0x10000 | 65536 | |
Enabled, Password Doesn’t Expire | 0x10200 | 66048 | x |
Disabled, Password Doesn’t Expire | 0x10202 | 66050 | x |
Disabled, Password Doesn’t Expire & Not Required | 0x10222 | 66082 | x |
MNS_LOGON_ACCOUNT | 0x20000 | 131072 | |
SMARTCARD_REQUIRED | 0x40000 | 262144 | |
Enabled, Smartcard Required | 0x40200 | 262656 | x |
Disabled, Smartcard Required | 0x40202 | 262658 | x |
Disabled, Smartcard Required, Password Not Required | 0x40222 | 262690 | x |
Disabled, Smartcard Required, Password Doesn’t Expire | 0x50202 | 328194 | x |
Disabled, Smartcard Required, Password Doesn’t Expire & Not Required | 0x50222 | 328226 | x |
TRUSTED_FOR_DELEGATION | 0x80000 | 524288 | |
Domain controller | 0x82000 | 532480 | |
NOT_DELEGATED | 0x100000 | 1048576 | |
USE_DES_KEY_ONLY | 0x200000 | 2097152 | |
DONT_REQ_PREAUTH | 0x400000 | 4194304 | |
PASSWORD_EXPIRED | 0x800000 | 8388608 | |
TRUSTED_TO_AUTH_FOR_DELEGATION | 0x1000000 | 16777216 | |
PARTIAL_SECRETS_ACCOUNT | 0x04000000 | 67108864 |
Notes
Property flag descriptions
- SCRIPT – The logon script will be run.
- ACCOUNTDISABLE – The user account is disabled.
- HOMEDIR_REQUIRED – The home folder is required.
- PASSWD_NOTREQD – No password is required.
- PASSWD_CANT_CHANGE – The user cannot change the password. This is a permission on the user’s object. For information about how to programmatically set this permission, visit the following Web site:
- ENCRYPTED_TEXT_PASSWORD_ALLOWED – The user can send an encrypted password.
- TEMP_DUPLICATE_ACCOUNT – This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. This is sometimes referred to as a local user account.
- NORMAL_ACCOUNT – This is a default account type that represents a typical user.
- INTERDOMAIN_TRUST_ACCOUNT – This is a permit to trust an account for a system domain that trusts other domains.
- WORKSTATION_TRUST_ACCOUNT – This is a computer account for a computer that is running Microsoft Windows NT 4.0 Workstation, Microsoft Windows NT 4.0 Server, Microsoft Windows 2000 Professional, or Windows 2000 Server and is a member of this domain.
- SERVER_TRUST_ACCOUNT – This is a computer account for a domain controller that is a member of this domain.
- DONT_EXPIRE_PASSWD – Represents the password, which should never expire on the account.
- MNS_LOGON_ACCOUNT – This is an MNS logon account.
- SMARTCARD_REQUIRED – When this flag is set, it forces the user to log on by using a smart card.
- TRUSTED_FOR_DELEGATION – When this flag is set, the service account (the user or computer account) under which a service runs is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service. To enable a service for Kerberos delegation, you must set this flag on the userAccountControl property of the service account.
- NOT_DELEGATED – When this flag is set, the security context of the user is not delegated to a service even if the service account is set as trusted for Kerberos delegation.
- USE_DES_KEY_ONLY – (Windows 2000/Windows Server 2003) Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
- DONT_REQUIRE_PREAUTH – (Windows 2000/Windows Server 2003) This account does not require Kerberos pre-authentication for logging on.
- PASSWORD_EXPIRED – (Windows 2000/Windows Server 2003) The user’s password has expired.
- TRUSTED_TO_AUTH_FOR_DELEGATION – (Windows 2000/Windows Server 2003) The account is enabled for delegation. This is a security-sensitive setting. Accounts that have this option enabled should be tightly controlled. This setting lets a service that runs under the account assume a client’s identity and authenticate as that user to other remote servers on the network.
- PARTIAL_SECRETS_ACCOUNT – (Windows Server 2008/Windows Server 2008 R2) The account is a read-only domain controller (RODC). This is a security-sensitive setting. Removing this setting from an RODC compromises security on that server.
UserAccountControl values
These are the default UserAccountControl values for the certain objects:
- Typical user : 0x200 (512)
- Domain controller : 0x82000 (532480)
- Workstation/server: 0x1000 (4096)
To set or erase bits in the userAccountControl attribute
Const ADS_UF_ACCOUNT_DISABLE = 2 Const ADS_UF_HOMEDIR_REQUIRED = 8 Const ADS_UF_LOCKOUT = 16 Const ADS_UF_PASSWD_NOTREQD = 32 Const ADS_UF_PASSWD_CANT_CHANGE = 64 Const ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED = 128 Const ADS_UF_NORMAL_ACCOUNT = 512 Const ADS_UF_INTERDOMAIN_TRUST_ACCOUNT = 2048 Const ADS_UF_WORKSTATION_TRUST_ACCOUNT = 4096 Const ADS_UF_SERVER_TRUST_ACCOUNT = 8192 Const ADS_UF_DONT_EXPIRE_PASSWD = 65536 Const ADS_UF_MNS_LOGON_ACCOUNT = 131072 Const ADS_UF_SMARTCARD_REQUIRED = 262144 Const ADS_UF_TRUSTED_FOR_DELEGATION = 524288 Const ADS_UF_NOT_DELEGATED = 1048576 Const ADS_UF_USE_DES_KEY_ONLY = 2097152 Const ADS_UF_DONT_REQUIRE_PREAUTH = 4194304 Const ADS_UF_PASSWORD_EXPIRED = 8388608 Const ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION = 16777216 Const ADS_UF_NO_AUTH_DATA_REQUIRED = 33554432 Const ADS_UF_PARTIAL_SECRETS_ACCOUNT = 67108864 Set obj = GetObject("LDAP://cn=site,ou=user,dc=contoso,dc=com") 'The user is disabled (set flag bit): obj.userAccountControl = obj.userAccountControl or ADS_UF_ACCOUNT_DISABLE obj.SetInfo 'The user is enabled (remove flag bit): obj.userAccountControl = obj.userAccountControl xor ADS_UF_ACCOUNT_DISABLE obj.SetInfo
Reference
User-Account-Control attribute
How to use the UserAccountControl flags to manipulate user account properties