SelfADSI : Attributes for AD Users - userAccountControl (2024)

Table of Content > Attributes for Active Directory Users > userAccountControl

The Active Directory attribute userAccountControl contains a range of flags which define some important basic properties of a user object. These flags can also be used to request or change the status of an account.

userAccountControl


LDAP name userAccountControl
Data type Integer (DWORD - 4 Bytes)
Multivalue (Array) No
System Flags

0x12

Search Flags 0x19
In Global Catalog? Yes
Attribute ID 1.2.840.113556.1.4.8
AD DB attribute name User-Account-Control
ADSI datatype 7 - Integer
LDAP syntax 1.3.6.1.4.1.1466.115.121.1.27 - Integer
Used in ... > W2K
Schema Info Microsoft - MSDN

In addition to the mere attribute specification in the schema docu, there are two important websites which explain the meaning of the different userAccountControl flags:

MSDN: Open Specifications - [MS-ADTS] - 2.2.15 - userAccountControl Bits

MSDN: Open Specifications - [MS-SAMR] - 3.1.1.8.10 - userAccountControl

Here are the single flags, you find some annotations afterwards:

Flag value (binary) (decimal)
0000000000000000000000000000000x 1 Reserved, the value must always be 0
00000000000000000000000000000010 2 UF_ACCOUNT_DISABLE
00000000000000000000000000000x00 4 Reserved, the value must always be 0
00000000000000000000000000001000 8 UF_HOMEDIR_REQUIRED
00000000000000000000000000010000 16 UF_LOCKOUT
00000000000000000000000000100000 32 UF_PASSWD_NOTREQD
00000000000000000000000001000000 64 UF_PASSWD_CANT_CHANGE
00000000000000000000000010000000 128 UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED
00000000000000000000000x00000000 256 Reserved, the value must always be 0
00000000000000000000001000000000 512 UF_NORMAL_ACCOUNT
000000000000000000000x0000000000 1024 Reserved, the value must always be 0
00000000000000000000100000000000 2048 UF_INTERDOMAIN_TRUST_ACCOUNT
00000000000000000001000000000000 4096 UF_WORKSTATION_TRUST_ACCOUNT
00000000000000000010000000000000 8192 UF_SERVER_TRUST_ACCOUNT
00000000000000000x00000000000000 16384 Reserved, the value must always be 0
0000000000000000x000000000000000 32768 Reserved, the value must always be 0
00000000000000010000000000000000 65536 UF_DONT_EXPIRE_PASSWD
00000000000000100000000000000000 131072 UF_MNS_LOGON_ACCOUNT
00000000000001000000000000000000 262144 UF_SMARTCARD_REQUIRED
00000000000010000000000000000000 524288 UF_TRUSTED_FOR_DELEGATION
00000000000100000000000000000000 1048576 UF_NOT_DELEGATED
00000000001000000000000000000000 2097152 UF_USE_DES_KEY_ONLY
00000000010000000000000000000000 4194304 UF_DONT_REQUIRE_PREAUTH
00000000100000000000000000000000 8388608 UF_PASSWORD_EXPIRED
00000001000000000000000000000000 16777216 UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
00000010000000000000000000000000 33554432 UF_NO_AUTH_DATA_REQUIRED
00000100000000000000000000000000 67108864 UF_PARTIAL_SECRETS_ACCOUNT
0000x000000000000000000000000000 134217728 Reserved, the value must always be 0
000x0000000000000000000000000000 268435456 Reserved, the value must always be 0
00x00000000000000000000000000000 536870912 Reserved, the value must always be 0
0x000000000000000000000000000000 1073741824 Reserved, the value must always be 0
x0000000000000000000000000000000 2147483648 Reserved, the value must always be 0

If there are several flags set for a certain account, you just have to add the decimal values of these flags to get the according value of the userAccountControl attribute. Some Examples:

Normal User Account
00000000000000000000001000000000 512 UF_NORMAL_ACCOUNT
Total 512


Disabled User
00000000000000000000000000000010 2 UF_ACCOUNT_DISABLE
00000000000000000000001000000000 512 UF_NORMAL_ACCOUNT
Total 514


User whose password never expires
00000000000000000000001000000000 512 UF_NORMAL_ACCOUNT
00000000000000010000000000000000 65536 UF_DONT_EXPIRE_PASSWD
Total 66048

To set or erase bits in the userAccountControl attribute, this is what you could do:

Const ADS_UF_ACCOUNT_DISABLE = 2Const ADS_UF_HOMEDIR_REQUIRED = 8Const ADS_UF_LOCKOUT = 16Const ADS_UF_PASSWD_NOTREQD = 32Const ADS_UF_PASSWD_CANT_CHANGE = 64Const ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED = 128Const ADS_UF_NORMAL_ACCOUNT = 512Const ADS_UF_INTERDOMAIN_TRUST_ACCOUNT = 2048Const ADS_UF_WORKSTATION_TRUST_ACCOUNT = 4096Const ADS_UF_SERVER_TRUST_ACCOUNT = 8192Const ADS_UF_DONT_EXPIRE_PASSWD = 65536Const ADS_UF_MNS_LOGON_ACCOUNT = 131072Const ADS_UF_SMARTCARD_REQUIRED = 262144Const ADS_UF_TRUSTED_FOR_DELEGATION = 524288Const ADS_UF_NOT_DELEGATED = 1048576Const ADS_UF_USE_DES_KEY_ONLY = 2097152Const ADS_UF_DONT_REQUIRE_PREAUTH = 4194304Const ADS_UF_PASSWORD_EXPIRED = 8388608Const ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION = 16777216Const ADS_UF_NO_AUTH_DATA_REQUIRED = 33554432Const ADS_UF_PARTIAL_SECRETS_ACCOUNT = 67108864Set obj = GetObject("LDAP://cn=philipp,ou=user,dc=cerrotorre,dc=de")'The user is disabled (set flag bit):obj.userAccountControl = obj.userAccountControl or ADS_UF_ACCOUNT_DISABLEobj.SetInfo'The user is enabled (remove flag bit):obj.userAccountControl = obj.userAccountControl xor ADS_UF_ACCOUNT_DISABLEobj.SetInfo

Download Script

If you are searching for users with specific userAccountControl properties (in an LDAP search operation), you need special LDAP filters to limit the search to the accounts which have set or not set certain bits in this value:

Const ADS_UF_ACCOUNT_DISABLE = 2Const ADS_UF_PASSWD_NOTREQD= 32Const ADS_UF_DONT_EXPIRE_PASSWD = 65536'All accounts which are disabled' => ADS_UF_ACCOUNT_DISABLE = 2' => ldapFilter = "(userAccountControl:1.2.840.113556.1.4.803:=2)"'All accounts which are NOT disabled:' => ADS_UF_ACCOUNT_DISABLE = 2' => ldapFilter = "(!(userAccountControl:1.2.840.113556.1.4.803:=2))"'All accounts which do not need a password OR whose passwords never expire:' => ADS_UF_PASSWD_NOTREQD And ADS_UF_DONT_EXPIRE_PASSWD = 32 + 65536 = 65568' => ldapFilter = "(userAccountControl:1.2.840.113556.1.4.804:=65568)"'All accounts which do not need a password AND whose passwords never expire:' => ADS_UF_PASSWD_NOTREQD And ADS_UF_ACCOUNT_DISABLE = 32 + 2 = 34' => ldapFilter = "(userAccountControl:1.2.840.113556.1.4.803:=34)"

Download Script

< back to top

UF_ACCOUNT_DISABLE ( 2 )

If this userAccountControl bit is set, the regarding user account is disabled and cannot authenticate to the domain any more. Please do not confuse this with the Intruder Lockout mechanism which locks out a user if he enter a wrong password to often in too short a time.

SelfADSI : Attributes for AD Users - userAccountControl (3)

If you want to enable a disabled user by deleting the UF_ACOUNT_DISABLE flag, this will only succeed if its password complies with the current password policies. If blank passwords are prohibited in your environment and the disabled user has no password (for example because it was just created), it can not be activated: There will be a runtime error (-2147016651: LDAP_UNWILLING_TO_PERFORM). If a user can be activated in such cases, despite an empty password, then maybe the userAccountControl flag UF_DONT_EXPIRE_PASSWD is set ...

< back to top

UF_HOMEDIR_REQUIRED ( 8 )

If this userAccountControl bit is set, there must be the directory property 'home drive' set for the regarding account => the LDAP attribute homeDirectory must exist. That's the theory. In practice, this bit may be set without the system returning a mistake, even when there is no home drive configured for the regarding user.

< back to top

UF_LOCKOUT ( 16 )


Caution: This bit does not work as expected!

This userAccountControl bit is supposed to indicate that the user is locked by the Intruder Lockout mechanism (the lock can only be triggered by the system itself). But this is just a leftover from Windows NT times. For Active Directory users, this bit is NEVER set for locked users - if you want to know whether an account is locked, you should use the attribute lockoutTime:

'Unlocking a user account:Set user = GetObject("LDAP://cn=sandra,ou=user,dc=cerrotorre,dc=de")user.lockoutTime = 0 user.SetInfo

Download Script

You can search locked accounts with this LDAP filter:

'All accounts which are locked:' => ldapFilter = "(&(objectClass=user)(lockoutTime>=0))"

Download Script

If you are currently connected with a user object via LDAP, you can also examine the attribute msDS-User-Account-Control-Computed. In contrast to the userAccountControl, this shows you in the UF_LOCKOUT whether an account is actually deleted. However, it is a constructed attribute so that it cannot be used as a filter criterion in LDAP search operations.

< back to top

UF_PASSWD_NOTREQD ( 32 )

If this userAccountControl bit is set, the user is not subject to a possibly existing policy regarding the length of password. So he can have a shorter password than it is required or it may even have no password at all, even if empty passwords are not allowed. This property is not visible in the normal GUI tools (Active Directory Users and Copmputers)!

< back to top

UF_PASSWD_CANT_CHANGE ( 64 )


Caution: This bit does not work as expected!

This flag is supposed to indicate that the password for that account can not be changed by the account itself. Yet nothing happens if you set the bit (However, there will be no runtime error returned... only the value of the bit remains unchanged). If you want to really make sure that the password may not be modified, you have to deny the extended right 'Change Password' for the account itself and each other user.

SelfADSI : Attributes for AD Users - userAccountControl (6)

In the access control list, this deny entry is set for the 'SELF' trustee also. If you want to change the permissions with a batch script, you can achieve this with two DSACLS commands:

REM Prevent password change
DSACLS "cn=PhilippFoeckeler,dc=selfadsi,dc=org" /D Everyone:CA;"Change Password"

REM Allow password change
DSACLS "cn=PhilippFoeckeler,dc=selfadsi,dc=org" /G Everyone:CA;"Change Password"
DSACLS "cn=PhilippFoeckeler,dc=selfadsi,dc=org" /G SELF:CA;"Change Password"

By the way: A password change is not the same as a password reset. Of course an administrator can perform in that particular case still a password reset.

< back to top

UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED ( 128 )

If this bit is set, the password for this user stored encrypted in the directory - but in a reversible form. As the term reversible already implies: In principle, you could also say that with this setting,the password of the user can be read with the appropriate permissions (=> security gap!!).

You need the UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED flag when an application needs to know the passwords of the users to authenticate them. This is for example the case when you want/have to use RAS (Remote Access) with the old CHAP Authentication, or if you want to use IIS Digest Authentication embedded in an Active Directory environment.

Normally, passwords are stored as irreversible hash values in the AD database. So you should NEVER use this option unless it is absolutely necessary.

SelfADSI : Attributes for AD Users - userAccountControl (7)

UF_NORMAL_ACCOUNT ( 512 )


This bit indicates that this is a normal user account. To distinguish this type of account from other types is necessary because not only user objects have a userAccountControl attribute, but also computer objects and others representing domain controllers or trust relationships.

< back to top


UF_INTERDOMAIN_TRUST_ACCOUNT ( 2048 )

This userAccountControl bit indicates that this is an account which represents a trust connection to an external domain. Normally, the name of the account is the NetBIOS name of the domain with a '$' at the end. This flag should never be set for a user account.

< back to top

UF_WORKSTATION_TRUST_ACCOUNT ( 4096 )


This user account control bit indicates that this is a machine account of an ordinary computer or member server in the domain. This flag should never be set for a user account.

< back to top

UF_SERVER_TRUST_ACCOUNT ( 8192 )


This bit indicates that this is a domain controller account. This flag should never be set for a user account.

< back to top

UF_DONT_EXPIRE_PASSWD ( 65536 )

Is this userAccountControl bit is set, the user is not subject to an existing policy regarding a forced password change interval: The password of this account never expires.

< back to top

UF_MNS_LOGON_ACCOUNT ( 131072 )

This bit indicates that this is a Majority Node Set (MNS) account, such account are required for the operation of cluster nodes for Windows Server 2003 (and newer), in which the quorum data is not stored on a shared media drive. This flag should never be set for a user account.

< back to top

UF_SMARTCARD_REQUIRED ( 262144 )


This bit shows that for the regarding account only a smartcard authentication is allowed for interactive logon to the domain. Other authentication mechanisms are not allowed. If this flag is set, the password of this account never expires (he doesn't use his domain password when loging on with the smartcard ...).

< back to top

UF_TRUSTED_FOR_DELEGATION ( 524288 )


This userAccountControl bit indicates that this is an account that can be used for Windows services - and in the way that the service takes on temporarily the identity of a user who are using this services. This is for example the case when the Server service has the same rights on the local disk as the user who is just accessing a shared network drive. We call this process also Impersonation.

< back to top

UF_NOT_DELEGATED ( 1048576 )


This bit indicates that this is an account for which a service may NOT impersonate the identity (sort of the reverse situation to UF_TRUSTED_FOR_DELEGATION bit).

< back to top


UF_USE_DES_KEY_ONLY ( 2097152 )

This bit indicates that in the Kerberos authentication of the account ONLY the algorithm DES (Data Encryption Standard) may be used for the generation of tickets. This should only be set for accounts which don't use a Windows machine to log on to the domain (Windows will always have at least DES and RC4 available).

Actually, this shouldn't play a big role anymore, because DES is now considered no more as the best algorithm. Since Vista and Windows Server 2008, there is the much more modern AES (Advanced Encryption Standard) algorithm for Kerberos authentication to a domain controller available. For signaling which algorithms are supported for authentication of a specific account, there is now the modern attribute msDS-SupportedEncryptionTypes available. This is used to negotiate the settings between client and domain controller regarding the encryption algorithms.

< back to top

UF_DONT_REQUIRE_PREAUTH ( 4194304 )


This bit indicates that there is no so-called pre-authentication necessary for Kerberos authentication of the account. This is only for older Kerberos client important, which need to login to the domain from foreign systems and which does not support Kerberos pre-authentication. For accounts that log on from a Windows machine, or just for machine accounts of Windows domain members, this flag flag should NEVER be set, for the pre-authentication prevents certain types of dictionary attacks on the Kerberos login.

< back to top

UF_PASSWORD_EXPIRED ( 8388608 )


Caution: This bit does not work as expected!

Normally, this user account control bit is supposed to indicate that the user's password is expired. However, it is not set by the system when the password actually expires, nor can you force the user to change his password at the next logon by setting this bit.

If you really want to know whether the password of an account has expired or not, you can examine the attribute msDS-User-Account-Control-Computed, this is in contrast to the userAccountControl a good indicator for password expiration in the UF_LOCKOUT bit. However, this is a constructed attribute so that it cannot be used as a filter criterion in LDAP search operations.

If you want to force expiration of a password, just set user attribute pwdLastSet to -1.

It's getting even more complicated if you want to know exactly when a password will expire. This must be calculated with the maxPwdAge attribute of the domain and the pwdLastSet attribute of the account. These are Microsoft Integer8 values that require quite an effort in handling. In Windows 2008, a new LDAP attribute is added, which saves the calculation: msDS-UserPasswordExpiryTimeComputed. This is also constructed attribute so that it cannot be used in LDAP searches nor in an LDAP filter. Take caution when calculating the expiration time AD environments with Windows Server 2008 and newer: There could be so-called Fine Grained Password Policies active.

< back to top

UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION ( 16777216 )


This bit indicates that the regarding user can request a Kerberos ticket on behalf of another user. This is necessary in rare cases for service accounts, which require so-called S4U2 self-service tickets from the domain controller. This includes the spoofing of identity and goes far beyond normal impersonation, which is sometimes important for running services. For this reason you should set this flag only if it is really necessary.

< back to top

UF_NO_AUTH_DATA_REQUIRED ( 33554432 )


This bit indicates that the regarding account can request a ticket in the Kerberos ticketing process without sending the so-called Privilege Attribute Certificate (PAC) data. The PAC data structure is a Microsoft-specific Kerberos extension and contains information about the security ID of the user and the groups in which it is member. This bit is only relevant if the account in question logs in from a foreign non-Windows machine at the domain and it does not support PAC.

< back to top

UF_PARTIAL_SECRETS_ACCOUNT ( 67108864 )


This bit indicates that this is a ReadOnly domain controller account. These machines accounts always include the UF_WORKSTATION_TRUST_ACCOUNT also. This flag should never be set for a user account.

< back to top

< back to attribute list

< back to SelfADSI home

SelfADSI : Attributes for AD Users - userAccountControl (2024)

FAQs

What is the UserAccountControl attribute in AD? ›

UserAccountControl is an attribute on user and computer objects in Active Directory. This attribute represents various settings and flags that tells Windows which user account options to enable. For example, when an account is disabled the UserAccountControl value for that account will be 514.

How do I get all the attributes of an ad user? ›

Default Limitations: The standard get-aduser cmdlet in PowerShell returns only 10 user attributes by default. Expanding Output:To view all attributes, modify the cmdlet with the -properties * parameter. For example, get-aduser -Identity username -properties * displays all attributes of a user.

What are the attributes of user profile in Active Directory? ›

Your Azure Active Directory B2C (Azure AD B2C) directory user profile comes with a set of built-in attributes, such as given name, surname, city, postal code, and phone number. You can extend the user profile with your own application data without requiring an external data store.

How do I add custom attributes to Active Directory users? ›

Resolution
  1. Enter the command 'mmc' into the command prompt window to open a new Microsoft Management Console window.
  2. Navigate to File > Add or Remove Snap-ins, then select the Active Directory Schema option. ...
  3. From the Snap-in column, right-click on the Attributes entry then select Create Attribute...
Jun 11, 2024

What does userAccountControl 512 mean? ›

User Account Control

For example, setting a users userAccountControl to 512 would mean that the user account is a default account type that represents a typical user. Setting it to 2 , would mean the account has been disabled.

What does userAccountControl 514 mean? ›

514 is a normal disabled account with no special flags. 66048 is a normal account with the flag set for Password never expires. 66050 is a normal disabled account with the flag set for Password never expires.

What is the command to check user attributes in Active Directory? ›

i) Get-ADUser username –Properties *

This command can be used to view and list the attributes of a user object.

How do I view custom attributes in Active Directory Users and Computers? ›

Go to the Attribute Editor tab. Here, you will see a list of user attribute values (including custom attributes in Active Directory). Copy all the attribute values. Using the Filter button, you can set whether to display all attributes or only filled ones.

How do I export all user attributes from Active Directory? ›

How to Export All Users from Active Directory
  1. Open the Export Users Tool.
  2. Click “Run”
  3. Click the “Export” button and select CSV.
  4. Optionally, click the Columns button to add or remove attributes.
Jul 21, 2024

What are the examples of user attributes? ›

Some common user attributes include things like first and last name, email/phone number, address, etc. When it comes to using them for authorization, however, these standard profile fields aren't as quite useful as others.

How do I change user attributes in ADSI? ›

In the left pane of ADSI Edit, double click Schema, and then on the distinguished name below Schema. A list of attributes will then appear in the central pane. Scroll down the list until you find the attribute you want to modify, in my case ms-MCS-AdmPwd. Double click the attribute.

What is an example of an attribute in Active Directory? ›

Active Directory Attributes List
Friendly NameAttribute NameExample
E-mail-AddressesmailJSmith@domain.com
Web PagewWWHomePagewww.johnsmith.com
Web Page (Other)urlwww.Company.net
Common NameCNJohn Smith
8 more rows

How do I bulk modify Active Directory users attributes? ›

Example 1: Bulk Modify Users Office Attribute
  1. Step 1: Setup the CSV File. One of the following attributes must be present in the CSV template and will be used to identify the accounts to update. ...
  2. Step 2: Run AD Bulk User Modify Tool. Now the easy part. ...
  3. Step 3: Verify the changes.
Apr 25, 2024

How do I copy user attributes in Active Directory? ›

To select the attributes to be copied,
  1. In the copy object window, click the Select Attributes icon; this icon is displayed beside the user's display name when you point the mouse over it. You can now see the list of attributes that have been copied.
  2. Click Apply to copy and populate these fields.

How do I enable user attribute in Active Directory? ›

Discussion
  1. To enable advanced functionality in Active Directory Users and Computers go to the View menu and select Advanced Features.
  2. To access the attribute editor right-click on an object, select Properties and you will see an additional Attribute Editor tab that shows the attributes that are not normally visible.*

What does userAccountControl 544 mean? ›

UAC of 544 is: PASSWD_NOTREQD NORMAL_ACCOUNT. Note that Password Not Required does not allow the account to bypass password restrictions in place locally or via a domain policy. It simply means that an account can exist in a valid state with a blank password set either at creation or via admin reset.

What is uac in Active Directory? ›

User Account Control is a security feature of Microsoft Windows that helps prevent unauthorized changes (which may be initiated by applications, users, viruses, or other forms of malware) to an operating system.

What is the user attribute manager in Active Directory? ›

In Active Directory, the Manager attribute of a user record is a special field. When populated, this attribute contains the Distinguished Name (DN) of another user in Active Directory. The Manager attribute is a pointer to the actual content of the manager's user record.

What is the Active Directory object attribute for a user's account name? ›

In the world of Active Directory, there are two core user naming attributes – UserPrincipalName (UPN) and the sAMAccountName (SAM). These identify user objects such as logon names and IDs used for security purposes. Essentially, a user object is a security principal object.

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Dr. Pierre Goyette

Last Updated:

Views: 5696

Rating: 5 / 5 (50 voted)

Reviews: 81% of readers found this page helpful

Author information

Name: Dr. Pierre Goyette

Birthday: 1998-01-29

Address: Apt. 611 3357 Yong Plain, West Audra, IL 70053

Phone: +5819954278378

Job: Construction Director

Hobby: Embroidery, Creative writing, Shopping, Driving, Stand-up comedy, Coffee roasting, Scrapbooking

Introduction: My name is Dr. Pierre Goyette, I am a enchanting, powerful, jolly, rich, graceful, colorful, zany person who loves writing and wants to share my knowledge and understanding with you.