The UserAccountControl attribute on user and computer objects is a bitmask. Here’s a quick summary of the flags and their meanings:
| Value (HEX) | Value (DEC) | Flag Name | Description |
|---|---|---|---|
| 0×00000001 | 1 | SCRIPT | The logon script will be run (this is no longer used in modern AD environments since scripts are normally distributed via Group Policy) |
| 0×00000002 | 2 | ACCOUNTDISABLED | The account is disabled |
| 0×00000008 | 8 | HOMEDIR_REQUIRED | The home folder is required |
| 0×00000010 | 16 | LOCKOUT | The account is locked out due to bad password attempts |
| 0×00000020 | 32 | PASSWD_NOTREQD | No password is required |
| 0×00000040 | 64 | PASSWD_CANT_CHANGE | The account cannot change its own password |
| 0×00000080 | 128 | ENCRYPTED_TEXT_PWD_ALLOWED | The user can send an encrypted password |
| 0×00000100 | 256 | TEMP_DUPLICATE_ACCOUNT | This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. This is sometimes referred to as a local user account. |
| 0×00000200 | 512 | NORMAL_ACCOUNT | This is the default account type, representing a normal user |
| 0×00000800 | 2048 | INTERDOMAIN_TRUST_ACCOUNT | This is a permit to trust an account for a system domain that trusts other domains |
| 0×00001000 | 4096 | WORKSTATION_TRUST_ACCOUNT | This is a computer account for a computer that is running Microsoft Windows NT 4.0 Workstation, Microsoft Windows NT 4.0 Server, Microsoft Windows 2000 Professional, or Windows 2000 Server and is a member of this domain |
| 0×00002000 | 8192 | SERVER_TRUST_ACCOUNT | This is a computer account for a domain controller that is a member of this domain |
| 0×00010000 | 65536 | DONT_EXPIRE_PASSWORD | Password will not expire |
| 0×00020000 | 131072 | MNS_LOGON_ACCOUNT | This is a Majority Node Set (MNS) logon account, used as part of clustering where this is no shared disk |
| 0×00040000 | 262144 | SMARTCARD_REQUIRED | A smartcard is required to logon |
| 0×00080000 | 524288 | TRUSTED_FOR_DELEGATION | When this flag is set, the service account (the user or computer account) under which a service runs is trusted for Kerberos delegation. Any such service can impersonate a client requesting a service. To enable a service for Kerberos delegation, you must set this flag on the userAccountControl property of the service account. Generally, access is limited to only local resources for which the user has already been authenticated. |
| 0×00100000 | 1048576 | NOT_DELEGATED | When this flag is set, the security context of the user cannot be impersonated by a service account that is configured as trusted for delegation |
| 0×00200000 | 2097152 | USE_DES_KEY_ONLY | Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys |
| 0×00400000 | 4194304 | DONT_REQ_PREAUTH | This account does not require Kerberos pre-authentication for logging on |
| 0×00800000 | 8388608 | PASSWORD_EXPIRED | The account’s password has expired |
| 0×01000000 | 16777216 | TRUSTED_TO_AUTH_FOR_DELEGATION | The account is enabled for delegation. This is a security-sensitive setting. Accounts with this option enabled should be tightly controlled. This setting allows a service that runs under the account to assume the client’s identity and authenticate as that user to other remote servers on the network. |
Some typical values:
- 512 – Normal user account
- 66048 – Normal user with non-expiring password
- 532480 – Domain controller
- 4096 – Workstation / member server
See http://support.microsoft.com/kb/305144 and http://msdn.microsoft.com/en-us/library/ms680832.aspx for more information.
In order to query for a bit in this attribute using LDAP syntax, use one of the bitmask controls:
- AND – userAccountControl:1.2.840.113556.1.4.803:=bitvalue
The result is true if the bits in userAccountControl are set to 1 (masked by bitvalue). For example, to see if the accountDisabled flag is set, the query syntax would be userAccountControl:1.2.840.113556.1.4.803:=2. If you want accounts that are not disabled, wrap that in (!(…)). - OR – userAccountControl:1.2.840.113556.1.4.804:=bitvalue
The result is true if any of the bits in the bitvalue are set in the userAccountControl attribute. For example, to obtain all objects that are locked out or disabled, the query syntax would be userAccountControl:1.2.840.113556.1.4.804:=18. Also, to find accounts that are not locked out or disabled, wrap that in (!(…)).
See http://support.microsoft.com/kb/269181 for more information on bitwise operators.
Post a Comment
You must be logged in to post a comment.