<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview 

The &quot;dirxml-&quot; values are used in [DirXML] and are [Pseudo Attributes] that allow easy setting and reading of the [Microsoft Active Directory Driver] for the [User-Account-Control Attribute] values. 

Many of the values shown below are exposed on the [MMC Account Tab] for [Microsoft Active Directory] Some values are only visible or only &quot;current&quot; by reading viewing the [AttributeType] [msDS-User-Account-Control-Computed]

This attribute value can be zero or a combination of one or more of the following values.
%%zebra-table 
%%sortable 
%%table-filter 
||Hexadecimal||Decimal||Identifier||DirXML||PERMS||Description 
|0x00000001|1|[SCRIPT]|[dirxml-uACScript]|RW|The logon script is executed. 
|0x00000002|2|[ACCOUNTDISABLE]|[dirxml-uACAccountDisable] (TRUE/FALSE)|RW|The user account is disabled. 
|0x00000008|8|[HOMEDIR_REQUIRED]|[dirxml-uACHomedirRequired]|RW|The home directory is required. 
|0x00000010|16|[LOCKOUT]|[dirxml-uACLockout]|RW|The account is currently locked from [Intruder Detection]. This value can be cleared to unlock a previously locked account.\\ __This value cannot be used to lock a previously un-locked account.__ 
|0x00000020|32|[PASSWD_NOTREQD]|[dirxml-uACPasswordNotRequired]|RW|No password is required. 
|0x00000040|64|[PASSWD_CANT_CHANGE]|[dirxml-uACPasswordCantChange]|RO|The user cannot change the password. Note: You cannot assign the permission settings of PASSWD_CANT_CHANGE by directly modifying the UserAccountControl attribute. For more information and a code example that shows how to prevent a user from changing the password, see [User Cannot Change Password.|http://msdn.microsoft.com/en-us/library/aa746508(v=VS.85).aspx|target='_blank'] 
|0x00000080|128|[ENCRYPTED_TEXT_PASSWORD_ALLOWED]|[dirxml-uACEncryptedTextPasswordAllowed]|RW|The user can send an encrypted password. 
|0x00000100|256|[TEMP_DUPLICATE_ACCOUNT]|N/A|??|This is an account for users whose primary account is in another [AD DOMAIN]. This account provides user access to this [AD DOMAIN], but not to any [AD DOMAIN] that trusts this [AD DOMAIN]. Also known as a local user account.
|0x00000200|512|[NORMAL_ACCOUNT]|[dirxml-uACNormalAccount]|RO|This is a default account type that represents a typical user. 
|0x00000800|2048|[INTERDOMAIN_TRUST_ACCOUNT]|[dirxml-uACInterdomainTrustAccount]|RO|This is a permit to trust account for a system [AD DOMAIN] that trusts other [AD DOMAIN]. 
|0x00001000|4096|[WORKSTATION_TRUST_ACCOUNT]|[dirxml-uACWorkstationTrustAccount]|RO|This is a computer account for a computer that is a member of this [AD DOMAIN]. 
|0x00002000|8192|[SERVER_TRUST_ACCOUNT]|[dirxml-uACServerTrustAccount]|RO|This is a computer account for a system backup [Domain Controller] that is a member of this [AD DOMAIN]. 
|0x00004000| |N/A|N/A|N/A|N/A 
|0x00008000| |N/A|N/A|N/A|N/A 
|0x00010000|65536|[DONT_EXPIRE_PASSWORD]|[dirxml-uACDontExpirePassword]|RW|The [password] for this account will never expire. 
|0x00020000|131072|[MNS_LOGON_ACCOUNT]|N/A|??|This is an MNS logon account. 
|0x00040000|262144|[SMARTCARD_REQUIRED]|N/A|??|The user must log on using a [Smart Card]. 
|0x00080000|524288|[TRUSTED_FOR_DELEGATION]|N/A|??|The service account (user or computer account), under which a service runs, is trusted for [Kerberos] [delegation]. Any such service can impersonate a client requesting the service. 
|0x00100000|1048576|[NOT_DELEGATED]|N/A|??|The security context of the user will __NOT__ be delegated to a service even if the service account is set as trusted for [Kerberos] [delegation]. 
|0x00200000|2097152|[USE_DES_KEY_ONLY]|N/A|??|Restrict this [UserPrincipalName] to use only [Data Encryption Standard|DES] ([DES]) encryption types for keys. 
|0x00400000|4194304|[DONT_REQUIRE_PREAUTH]|N/A|??|This account does not require [Kerberos Pre-Authentication] for logon. 
|0x00800000|8388608|[ERROR_PASSWORD_EXPIRED]|N/A|RO|The user [password has expired|Password Expiration]. This flag is created by the system using data from the [Pwd-Last-Set attribute] and the [AD DOMAIN] policy. 
|0x01000000|16777216|[TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION]|N/A|??|The account is enabled for [delegation]. This is a __security-sensitive setting__; accounts with this option enabled [SHOULD] be strictly controlled. This setting enables a service running under the account to assume a client identity and authenticate as that user to other remote servers on the network. 
|0×04000000|67108864|[PARTIAL_SECRETS_ACCOUNT]|N/A|??|(Windows Server 2008/Windows Server 2008 R2) The account is a [Read-Only Domain Controller] ([RODC]). This is a __security-sensitive setting__. Removing this setting from an [RODC] compromises security on that server. 
|0x80000000|2147483648|[USER_USE_AES_KEYS]|N/A|??|Restrict this [UserPrincipalName] to use only [Advanced Encryption Standard] ([AES]) [encryption] types for [keys]. This [bit] is ignored by [Windows Client] and [Windows Servers].
/% 
/% 
/% 

!! More Information 
There might be more information for this subject on one of the following: 
[{ReferringPagesPlugin before='*' after='\n' }] 
----
* [#1] - [User-Account-Control attribute|https://msdn.microsoft.com/en-us/library/ms680832(v=vs.85).aspx|target='_blank'] - based on information obtained 2014-09-20
</pre>