This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
User-Account-Control Attribute Values
User-Account-Control Attribute Values

Version management

Difference between version and

At line 1 added 45 lines
!!! Overview
The "dirxml-" values are used in [DirXML] and are [Pseudo Attributes] that allow easy setting and reading of the [Microsoft Active Directory Driver] for the [User-Account-Control Attribute] values.
Many of the values shown below are exposed on the [MMC Account Tab] for [Microsoft Active Directory] Some values are only visible or only "current" by reading viewing the [AttributeType] [msDS-User-Account-Control-Computed]
This attribute value can be zero or a combination of one or more of the following values.
%%zebra-table
%%sortable
%%table-filter
||Hexadecimal||Decimal||Identifier||DirXML||PERMS||Description
|0x00000001|1|[SCRIPT]|[dirxml-uACScript]|RW|The logon script is executed.
|0x00000002|2|[ACCOUNTDISABLE]|[dirxml-uACAccountDisable] (TRUE/FALSE)|RW|The user account is disabled.
|0x00000008|8|[HOMEDIR_REQUIRED]|[dirxml-uACHomedirRequired]|RW|The home directory is required.
|0x00000010|16|[LOCKOUT]|[dirxml-uACLockout]|RW|The account is currently locked from [Intruder Detection]. This value can be cleared to unlock a previously locked account.\\ __This value cannot be used to lock a previously un-locked account.__
|0x00000020|32|[PASSWD_NOTREQD]|[dirxml-uACPasswordNotRequired]|RW|No password is required.
|0x00000040|64|[PASSWD_CANT_CHANGE]|[dirxml-uACPasswordCantChange]|RO|The user cannot change the password. Note: You cannot assign the permission settings of PASSWD_CANT_CHANGE by directly modifying the UserAccountControl attribute. For more information and a code example that shows how to prevent a user from changing the password, see [User Cannot Change Password.|http://msdn.microsoft.com/en-us/library/aa746508(v=VS.85).aspx|target='_blank']
|0x00000080|128|[ENCRYPTED_TEXT_PASSWORD_ALLOWED]|[dirxml-uACEncryptedTextPasswordAllowed]|RW|The user can send an encrypted password.
|0x00000100|256|[TEMP_DUPLICATE_ACCOUNT]|N/A|??|This is an account for users whose primary account is in another [AD DOMAIN]. This account provides user access to this [AD DOMAIN], but not to any [AD DOMAIN] that trusts this [AD DOMAIN]. Also known as a local user account.
|0x00000200|512|[NORMAL_ACCOUNT]|[dirxml-uACNormalAccount]|RO|This is a default account type that represents a typical user.
|0x00000800|2048|[INTERDOMAIN_TRUST_ACCOUNT]|[dirxml-uACInterdomainTrustAccount]|RO|This is a permit to trust account for a system [AD DOMAIN] that trusts other [AD DOMAIN].
|0x00001000|4096|[WORKSTATION_TRUST_ACCOUNT]|[dirxml-uACWorkstationTrustAccount]|RO|This is a computer account for a computer that is a member of this [AD DOMAIN].
|0x00002000|8192|[SERVER_TRUST_ACCOUNT]|[dirxml-uACServerTrustAccount]|RO|This is a computer account for a system backup [Domain Controller] that is a member of this [AD DOMAIN].
|0x00004000| |N/A|N/A|N/A|N/A
|0x00008000| |N/A|N/A|N/A|N/A
|0x00010000|65536|[DONT_EXPIRE_PASSWORD]|[dirxml-uACDontExpirePassword]|RW|The [password] for this account will never expire.
|0x00020000|131072|[MNS_LOGON_ACCOUNT]|N/A|??|This is an MNS logon account.
|0x00040000|262144|[SMARTCARD_REQUIRED]|N/A|??|The user must log on using a [Smart Card].
|0x00080000|524288|[TRUSTED_FOR_DELEGATION]|N/A|??|The service account (user or computer account), under which a service runs, is trusted for [Kerberos] [delegation]. Any such service can impersonate a client requesting the service.
|0x00100000|1048576|[NOT_DELEGATED]|N/A|??|The security context of the user will __NOT__ be delegated to a service even if the service account is set as trusted for [Kerberos] [delegation].
|0x00200000|2097152|[USE_DES_KEY_ONLY]|N/A|??|Restrict this [UserPrincipalName] to use only [Data Encryption Standard|DES] ([DES]) encryption types for keys.
|0x00400000|4194304|[DONT_REQUIRE_PREAUTH]|N/A|??|This account does not require [Kerberos Pre-Authentication] for logon.
|0x00800000|8388608|[ERROR_PASSWORD_EXPIRED]|N/A|RO|The user [password has expired|Password Expiration]. This flag is created by the system using data from the [Pwd-Last-Set attribute] and the [AD DOMAIN] policy.
|0x01000000|16777216|[TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION]|N/A|??|The account is enabled for [delegation]. This is a __security-sensitive setting__; accounts with this option enabled [SHOULD] be strictly controlled. This setting enables a service running under the account to assume a client identity and authenticate as that user to other remote servers on the network.
|0×04000000|67108864|[PARTIAL_SECRETS_ACCOUNT]|N/A|??|(Windows Server 2008/Windows Server 2008 R2) The account is a [Read-Only Domain Controller] ([RODC]). This is a __security-sensitive setting__. Removing this setting from an [RODC] compromises security on that server.
|0x80000000|2147483648|[USER_USE_AES_KEYS]|N/A|??|Restrict this [UserPrincipalName] to use only [Advanced Encryption Standard] ([AES]) [encryption] types for [keys]. This [bit] is ignored by [Windows Client] and [Windows Servers].
/%
/%
/%
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [User-Account-Control attribute|https://msdn.microsoft.com/en-us/library/ms680832(v=vs.85).aspx|target='_blank'] - based on information obtained 2014-09-20
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop