This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
User-Account-Control Attribute
User-Account-Control Attribute

Version management

Difference between version and

At line 1 added 51 lines
!!! Overview [1]
[{$pagename}] Flags that control the behavior of the [Microsoft Active Directory] user account.[{$pagename}] has a dynamic computed [Attribute] [MsDS-User-Account-Control-Computed] but the attribute's value can contain additional bits that are not persisted.
|CN|User-Account-Control
|Ldap-Display-Name|[userAccountControl]
|Size|4 bytes.
|Update Privilege|This value is set by the system.
|Update Frequency|Each time the account policy changes.
|Attribute-Id|1.2.840.113556.1.4.8
|System-Id-Guid|bf967a68-0de6-11d0-a285-00aa003049e2
|Syntax|Enumeration
!Implementations
* Windows 2000 Server
* Windows Server 2003
* Windows Server 2003 R2
* Windows Server 2008
!!Remarks
This attribute value can be zero or a combination of one or more of the following values.
You cannot set some of the values on a user or computer object because these values can be set or reset only by the directory service.
The flags are cumulative. To disable a user's account, set the UserAccountControl attribute to 0x0202 (0x002 + 0x0200). In decimal, this is 514 (2 + 512).
Since User-Account-Control-Attribute is a constructed attribute, it cannot be used in an LDAP search filter.
!! Not the Final Answer
There are 21 flags are currently defined for use with the userAccountControl attribute However, [Microsoft Active Directory] does not actually rely on all the values as displayed in the [User-Account-Control Attribute]!
Specifically, the ones that are not accurately displayed in [Microsoft Active Directory] or can not be modified from LDAP are:
* [LOCKOUT] -
* [PASSWD_CANT_CHANGE]
* [ERROR_PASSWORD_EXPIRED]
Active Directory actually uses different mechanisms to control these account properties, so __DO NOT__ try to read them from userAccountControl if you require the values to be accurate.
There is also, "User must change password at next logon" that is controlled by the [PwdLastSet] attribute.
__Note:__ In a Windows Server 2003-based domain, LOCK_OUT and PASSWORD_EXPIRED have been replaced with a new attribute called ms-DS-User-Account-Control-Computed. For more information about this new attribute, visit the following Web site:
[http://msdn2.microsoft.com/en-us/library/ms677840.aspx]
!! [Common Active Directory Bind Errors]
Some of the entries within the [{$pagename}] are seen from LDAP within [Common Active Directory Bind Errors].
! [User-Account-Control Attribute Values]
We summarize the [User-Account-Control Attribute Values] that we have been able to determine and identify their usage showing the values used in [DirXML] which are [Pseudo Attribute] that allow easy setting and reading of the [{$pagename}].
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
[#1] [Microsoft User-Account-Control Attribute|http://msdn.microsoft.com/en-us/library/ms680832%28v=VS.85%29.aspx|target='_blank']
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop