Overview [1]#
User-Account-Control Attribute Flags that control the behavior of the Microsoft Active Directory user account.User-Account-Control Attribute has a dynamic computed Attribute MsDS-User-Account-Control-Computed but the attribute's value can contain additional bits that are not persisted.| CN | User-Account-Control |
| Ldap-Display-Name | userAccountControl |
| Size | 4 bytes. |
| Update Privilege | This value is set by the system. |
| Update Frequency | Each time the account policy changes. |
| Attribute-Id | 1.2.840.113556.1.4.8 |
| System-Id-Guid | bf967a68-0de6-11d0-a285-00aa003049e2 |
| Syntax | Enumeration |
Implementations#
- Windows 2000 Server
- Windows Server 2003
- Windows Server 2003 R2
- Windows Server 2008
Remarks#
This attribute value can be zero or a combination of one or more of the following values.You cannot set some of the values on a user or computer object because these values can be set or reset only by the directory service.
The flags are cumulative. To disable a user's account, set the UserAccountControl attribute to 0x0202 (0x002 + 0x0200). In decimal, this is 514 (2 + 512).
Since User-Account-Control-Attribute is a constructed attribute, it cannot be used in an LDAP search filter.
Not the Final Answer#
There are 21 flags are currently defined for use with the userAccountControl attribute However, Microsoft Active Directory does not actually rely on all the values as displayed in the User-Account-Control Attribute!Specifically, the ones that are not accurately displayed in Microsoft Active Directory or can not be modified from LDAP are:
Active Directory actually uses different mechanisms to control these account properties, so DO NOT try to read them from userAccountControl if you require the values to be accurate.There is also, "User must change password at next logon" that is controlled by the PwdLastSet attribute.
Note: In a Windows Server 2003-based domain, LOCK_OUT and PASSWORD_EXPIRED have been replaced with a new attribute called ms-DS-User-Account-Control-Computed. For more information about this new attribute, visit the following Web site:
http://msdn2.microsoft.com/en-us/library/ms677840.aspx
Common Active Directory Bind Errors #
Some of the entries within the User-Account-Control Attribute are seen from LDAP within Common Active Directory Bind Errors.User-Account-Control Attribute Values#
We summarize the User-Account-Control Attribute Values that we have been able to determine and identify their usage showing the values used in DirXML which are Pseudo Attribute that allow easy setting and reading of the User-Account-Control Attribute.More Information#
There might be more information for this subject on one of the following:- AD Determining Password Expiration
- Active Directory Locked Accounts
- Administratively Disabled
- Common Active Directory Bind Errors
- DONT_EXPIRE_PASSWORD
- DirXML
- ERROR_ACCOUNT_EXPIRED
- HOMEDIR_REQUIRED
- Intruder Detection
- LOCKOUT
- MMC Account Tab
- Microsoft Active Directory
- Microsoft Active Directory Driver
- MsDS-UserPasswordExpiryTimeComputed
- Pwd-Last-Set attribute
- SCRIPT
- User Access Control
- User-Account-Control Attribute
- User-Account-Control Attribute Values
- UserAccountControl
[#1] Microsoft User-Account-Control Attribute