UserAccountControl property flags - Windows Server (2024)

  • Article

This article describes information about using the UserAccountControl attribute to manipulate user account properties.

Original KB number: 305144

Summary

When you open the properties for a user account, click the Account tab, and then either select or clear the check boxes in the Account options dialog box, numerical values are assigned to the UserAccountControl attribute. The value that is assigned to the attribute tells Windows which options have been enabled.

To view user accounts, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

List of property flags

You can view and edit these attributes by using either the Ldp.exe tool or the Adsiedit.msc snap-in.

The following table lists possible flags that you can assign. You can't set some of the values on a user or computer object because these values can be set or reset only by the directory service. Ldp.exe shows the values in hexadecimal. Adsiedit.msc displays the values in decimal. The flags are cumulative. To disable a user's account, set the UserAccountControl attribute to 0x0202 (0x002 + 0x0200). In decimal, it's 514 (2 + 512).

Note

You can directly edit Active Directory in both Ldp.exe and Adsiedit.msc. Only experienced administrators should use these tools to edit Active Directory. Both tools are available after you install the Support tools from your original Windows installation media.

Property flagValue in hexadecimalValue in decimal
SCRIPT0x00011
ACCOUNTDISABLE0x00022
HOMEDIR_REQUIRED0x00088
LOCKOUT0x001016
PASSWD_NOTREQD0x002032
PASSWD_CANT_CHANGE

You can't assign this permission by directly modifying the UserAccountControl attribute. For information about how to set the permission programmatically, see the Property flag descriptions section.

0x004064
ENCRYPTED_TEXT_PWD_ALLOWED0x0080128
TEMP_DUPLICATE_ACCOUNT0x0100256
NORMAL_ACCOUNT0x0200512
INTERDOMAIN_TRUST_ACCOUNT0x08002048
WORKSTATION_TRUST_ACCOUNT0x10004096
SERVER_TRUST_ACCOUNT0x20008192
DONT_EXPIRE_PASSWORD0x1000065536
MNS_LOGON_ACCOUNT0x20000131072
SMARTCARD_REQUIRED0x40000262144
TRUSTED_FOR_DELEGATION0x80000524288
NOT_DELEGATED0x1000001048576
USE_DES_KEY_ONLY0x2000002097152
DONT_REQ_PREAUTH0x4000004194304
PASSWORD_EXPIRED0x8000008388608
TRUSTED_TO_AUTH_FOR_DELEGATION0x100000016777216
PARTIAL_SECRETS_ACCOUNT0x0400000067108864

Note

In a Windows Server 2003-based domain, LOCK_OUT and PASSWORD_EXPIRED have been replaced with a new attribute called ms-DS-User-Account-Control-Computed. For more information about this new attribute, see ms-DS-User-Account-Control-Computed attribute.

Property flag descriptions

  • SCRIPT - The logon script will be run.

  • ACCOUNTDISABLE - The user account is disabled.

  • HOMEDIR_REQUIRED - The home folder is required.

  • PASSWD_NOTREQD - No password is required.

  • PASSWD_CANT_CHANGE - The user can't change the password. It's a permission on the user's object. For information about how to programmatically set this permission, see Modifying User Cannot Change Password (LDAP Provider).

  • ENCRYPTED_TEXT_PASSWORD_ALLOWED - The user can send an encrypted password.

  • TEMP_DUPLICATE_ACCOUNT - It's an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. It's sometimes referred to as a local user account.

  • NORMAL_ACCOUNT - It's a default account type that represents a typical user.

  • INTERDOMAIN_TRUST_ACCOUNT - It's a permit to trust an account for a system domain that trusts other domains.

  • WORKSTATION_TRUST_ACCOUNT - It's a computer account for a computer that is running Microsoft Windows NT 4.0 Workstation, Microsoft Windows NT 4.0 Server, Microsoft Windows 2000 Professional, or Windows 2000 Server and is a member of this domain.

  • SERVER_TRUST_ACCOUNT - It's a computer account for a domain controller that is a member of this domain.

  • DONT_EXPIRE_PASSWD - Represents the password, which should never expire on the account.

  • MNS_LOGON_ACCOUNT - It's an MNS logon account.

  • SMARTCARD_REQUIRED - When this flag is set, it forces the user to log on by using a smart card.

  • TRUSTED_FOR_DELEGATION - When this flag is set, the service account (the user or computer account) under which a service runs is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service. To enable a service for Kerberos delegation, you must set this flag on the userAccountControl property of the service account.

  • NOT_DELEGATED - When this flag is set, the security context of the user isn't delegated to a service even if the service account is set as trusted for Kerberos delegation.

  • USE_DES_KEY_ONLY - (Windows 2000/Windows Server 2003) Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.

  • DONT_REQUIRE_PREAUTH - (Windows 2000/Windows Server 2003) This account doesn't require Kerberos pre-authentication for logging on.

  • PASSWORD_EXPIRED - (Windows 2000/Windows Server 2003) The user's password has expired.

  • TRUSTED_TO_AUTH_FOR_DELEGATION - (Windows 2000/Windows Server 2003) The account is enabled for delegation. It's a security-sensitive setting. Accounts that have this option enabled should be tightly controlled. This setting lets a service that runs under the account assume a client's identity and authenticate as that user to other remote servers on the network.

  • PARTIAL_SECRETS_ACCOUNT - (Windows Server 2008/Windows Server 2008 R2) The account is a read-only domain controller (RODC). It's a security-sensitive setting. Removing this setting from an RODC compromises security on that server.

UserAccountControl values

Here are the default UserAccountControl values for the certain objects:

  • Typical user: 0x200 (512)
  • Domain controller: 0x82000 (532480)
  • Workstation/server: 0x1000 (4096)
  • Trust: 0x820 (2080)

Note

A Windows trust account is exempt from having a password through PASSWD_NOTREQD UserAccountControl attribute value because trust objects don't use the traditional password policy and password attributes in the same way as user and computer objects.

Trust secrets are represented by special attributes on the interdomain trust accounts, indicating the direction of the trust. Inbound trust secrets are stored in the trustAuthIncoming attribute, on the "trusted" side of a trust. Outbound trust secrets are stored in the trustAuthOutgoing attribute, on the "trusting" end of a trust.

  • For two-way trusts the INTERDOMAIN_TRUST_ACCOUNT object on each side of the trust will have both set.
  • Trust secrets are maintained by the domain controller which is the primary domain controller (PDC) emulator Flexible Single Master Operation (FSMO) role in the trusting domain.
  • For this reason the PASSWD_NOTREQD UserAccountControl attribute is set on INTERDOMAIN_TRUST_ACCOUNT accounts by default.
UserAccountControl property flags - Windows Server (2024)
Top Articles
Latest Posts
Recommended Articles
Article information

Author: Tyson Zemlak

Last Updated:

Views: 5682

Rating: 4.2 / 5 (43 voted)

Reviews: 90% of readers found this page helpful

Author information

Name: Tyson Zemlak

Birthday: 1992-03-17

Address: Apt. 662 96191 Quigley Dam, Kubview, MA 42013

Phone: +441678032891

Job: Community-Services Orchestrator

Hobby: Coffee roasting, Calligraphy, Metalworking, Fashion, Vehicle restoration, Shopping, Photography

Introduction: My name is Tyson Zemlak, I am a excited, light, sparkling, super, open, fair, magnificent person who loves writing and wants to share my knowledge and understanding with you.