<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview [1]
[{$pagename}] Flags that control the behavior of the [Microsoft Active Directory] user account.[{$pagename}] has a dynamic computed [Attribute] [MsDS-User-Account-Control-Computed] but the attribute's value can contain additional bits that are not persisted.

|CN|User-Account-Control
|Ldap-Display-Name|[userAccountControl]
|Size|4 bytes.
|Update Privilege|This value is set by the system.
|Update Frequency|Each time the account policy changes.
|Attribute-Id|1.2.840.113556.1.4.8
|System-Id-Guid|bf967a68-0de6-11d0-a285-00aa003049e2
|Syntax|Enumeration

!Implementations
* Windows 2000 Server
* Windows Server 2003
* Windows Server 2003 R2
* Windows Server 2008

!!Remarks
This attribute value can be zero or a combination of one or more of the following values.

You cannot set some of the values on a user or computer object because these values can be set or reset only by the directory service.

The flags are cumulative. To disable a user's account, set the UserAccountControl attribute to 0x0202 (0x002 + 0x0200). In decimal, this is 514 (2 + 512).

Since User-Account-Control-Attribute is a constructed attribute, it cannot be used in an LDAP search filter.

!! Not the Final Answer
There are 21 flags are currently defined for use with the userAccountControl attribute However, [Microsoft Active Directory] does not actually rely on all the values as displayed in the [User-Account-Control Attribute]! 

Specifically, the ones that are not accurately displayed in [Microsoft Active Directory] or can not be modified from LDAP are:
* [LOCKOUT] - 
* [PASSWD_CANT_CHANGE]  
* [ERROR_PASSWORD_EXPIRED] 
Active Directory actually uses different mechanisms to control these account properties, so __DO NOT__ try to read them from userAccountControl if you require the values to be accurate.

There is also, &quot;User must change password at next logon&quot; that is controlled by the [PwdLastSet] attribute.

__Note:__ In a Windows Server 2003-based domain, LOCK_OUT and PASSWORD_EXPIRED have been replaced with a new attribute called ms-DS-User-Account-Control-Computed. For more information about this new attribute, visit the following Web site:
[http://msdn2.microsoft.com/en-us/library/ms677840.aspx]
!! [Common Active Directory Bind Errors] 
Some of the entries within the [{$pagename}] are seen from LDAP within [Common Active Directory Bind Errors].

! [User-Account-Control Attribute Values]
We summarize the [User-Account-Control Attribute Values] that we have been able to determine and identify their usage showing the values used in [DirXML] which are [Pseudo Attribute] that allow easy setting and reading of the [{$pagename}].
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]

----
[#1] [Microsoft User-Account-Control Attribute|http://msdn.microsoft.com/en-us/library/ms680832%28v=VS.85%29.aspx|target='_blank']
</pre>