User-Account-Control Attribute [1]#

Flags that control the behavior of the Microsoft Active Directory user account.

CNUser-Account-Control
Ldap-Display-NameuserAccountControl
Size4 bytes.
Update PrivilegeThis value is set by the system.
Update FrequencyEach time the account policy changes.
Attribute-Id1.2.840.113556.1.4.8
System-Id-Guidbf967a68-0de6-11d0-a285-00aa003049e2
SyntaxEnumeration

Implementations#

  • Windows 2000 Server
  • Windows Server 2003
  • Windows Server 2003 R2
  • Windows Server 2008

Remarks#

This attribute value can be zero or a combination of one or more of the following values.

You cannot set some of the values on a user or computer object because these values can be set or reset only by the directory service.

The flags are cumulative. To disable a user's account, set the UserAccountControl attribute to 0x0202 (0x002 + 0x0200). In decimal, this is 514 (2 + 512).

Since User-Account-Control-Attribute is a constructed attribute, it cannot be used in an LDAP search filter.

Not the Final Answer#

There are 21 flags are currently defined for use with the userAccountControl attribute However, Microsoft Active Directory does not actually rely on all the values as displayed in the User-Account-Control Attribute!

Specifically, the ones that are not accurately displayed in Microsoft Active Directory or can not be modified from LDAP are:

Active Directory actually uses different mechanisms to control these account properties, so DO NOT try to read them from userAccountControl if you require the values to be accurate.

There is also, "User must change password at next logon" that is controlled by the PwdLastSet attribute.

Note: In a Windows Server 2003-based domain, LOCK_OUT and PASSWORD_EXPIRED have been replaced with a new attribute called ms-DS-User-Account-Control-Computed. For more information about this new attribute, visit the following Web site: http://msdn2.microsoft.com/en-us/library/ms677840.aspx

Common Active Directory Bind Errors #

Some of the entries within the User-Account-Control Attribute are seen from LDAP within Common Active Directory Bind Errors.

User-Account-Control Attribute Values#

We summarize the User-Account-Control Attribute Values that we have been able to determine and identify their usage showing the values used in DirXML which are Pseudo Attribute that allow easy setting and reading of the User-Account-Control Attribute.

More Information#

There might be more information for this subject on one of the following:
[#1] Microsoft User-Account-Control Attribute

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-47) was last changed on 20-Sep-2016 10:49 by jim