User-Account-Control Attribute Values

Overview #

The "dirxml-" values are used in DirXML and are Pseudo Attributes that allow easy setting and reading of the Microsoft Active Directory Driver for the User-Account-Control Attribute values.

Many of the values shown below are exposed on the MMC Account Tab for Microsoft Active Directory

Some values are only visible or only "current" by reading viewing the AttributeType msDS-User-Account-Control-Computed

This attribute value can be zero or a combination of one or more of the following values.

0x000000011SCRIPTdirxml-uACScriptRWThe logon script is executed.
0x000000022ACCOUNTDISABLEdirxml-uACAccountDisable (TRUE/FALSE)RWThe user account is disabled.
0x000000088HOMEDIR_REQUIREDdirxml-uACHomedirRequiredRWThe home directory is required.
0x0000001016LOCKOUTdirxml-uACLockoutRWThe account is currently locked from Intruder Detection. This value can be cleared to unlock a previously locked account.
This value cannot be used to lock a previously un-locked account.
0x0000002032PASSWD_NOTREQDdirxml-uACPasswordNotRequiredRWNo password is required.
0x0000004064PASSWD_CANT_CHANGEdirxml-uACPasswordCantChangeROThe user cannot change the password. Note: You cannot assign the permission settings of PASSWD_CANT_CHANGE by directly modifying the UserAccountControl attribute. For more information and a code example that shows how to prevent a user from changing the password, see User Cannot Change Password.
0x00000080128ENCRYPTED_TEXT_PASSWORD_ALLOWEDdirxml-uACEncryptedTextPasswordAllowedRWThe user can send an encrypted password.
0x00000100256TEMP_DUPLICATE_ACCOUNTN/A??This is an account for users whose primary account is in another AD DOMAIN. This account provides user access to this AD DOMAIN, but not to any AD DOMAIN that trusts this AD DOMAIN. Also known as a local user account.
0x00000200512NORMAL_ACCOUNTdirxml-uACNormalAccountROThis is a default account type that represents a typical user.
0x000008002048INTERDOMAIN_TRUST_ACCOUNTdirxml-uACInterdomainTrustAccountROThis is a permit to trust account for a system AD DOMAIN that trusts other AD DOMAIN.
0x000010004096WORKSTATION_TRUST_ACCOUNTdirxml-uACWorkstationTrustAccountROThis is a computer account for a computer that is a member of this AD DOMAIN.
0x000020008192SERVER_TRUST_ACCOUNTdirxml-uACServerTrustAccountROThis is a computer account for a system backup Domain Controller that is a member of this AD DOMAIN.
0x00004000 N/AN/AN/AN/A
0x00008000 N/AN/AN/AN/A
0x0001000065536DONT_EXPIRE_PASSWORDdirxml-uACDontExpirePasswordRWThe password for this account will never expire.
0x00020000131072MNS_LOGON_ACCOUNTN/A??This is an MNS logon account.
0x00040000262144SMARTCARD_REQUIREDN/A??The user must log on using a Smart Card.
0x00080000524288TRUSTED_FOR_DELEGATIONN/A??The service account (user or computer account), under which a service runs, is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service.
0x001000001048576NOT_DELEGATEDN/A??The security context of the user will NOT be delegated to a service even if the service account is set as trusted for Kerberos delegation.
0x002000002097152USE_DES_KEY_ONLYN/A??Restrict this UserPrincipalName to use only Data Encryption Standard (DES) encryption types for keys.
0x004000004194304DONT_REQUIRE_PREAUTHN/A??This account does not require Kerberos Pre-Authentication for logon.
0x008000008388608ERROR_PASSWORD_EXPIREDN/AROThe user password has expired. This flag is created by the system using data from the Pwd-Last-Set attribute and the AD DOMAIN policy.
0x0100000016777216TRUSTED_TO_AUTHENTICATE_FOR_DELEGATIONN/A??The account is enabled for delegation. This is a security-sensitive setting; accounts with this option enabled SHOULD be strictly controlled. This setting enables a service running under the account to assume a client identity and authenticate as that user to other remote servers on the network.
0×0400000067108864PARTIAL_SECRETS_ACCOUNTN/A??(Windows Server 2008/Windows Server 2008 R2) The account is a Read-Only Domain Controller (RODC). This is a security-sensitive setting. Removing this setting from an RODC compromises security on that server.
0x800000002147483648USER_USE_AES_KEYSN/A??Restrict this UserPrincipalName to use only Advanced Encryption Standard (AES) encryption types for keys. This bit is ignored by Windows Client and Windows Servers.

More Information #

There might be more information for this subject on one of the following: