Mark Empson's Global notepad

Platforms and Active Directory Resources.

UserAccountControl flags

UserAccountControl flags

  • Comments 4
  • Likes

I was messing today with a small script to read the UserAccountControl flags of an Active Directory domain's user account base, and was tryng to find the correct values that are present there.  I ultimately stumbled upon a KB article http://support.microsoft.com/kb/305144 which is brilliant.. The key info that I needed was below so I thought I would share it with you:

 

Property flagValue in hexadecimalValue in decimal
SCRIPT 0x0001 1
ACCOUNTDISABLE 0x0002 2
HOMEDIR_REQUIRED 0x0008 8
LOCKOUT 0x0010 16
PASSWD_NOTREQD 0x0020 32
PASSWD_CANT_CHANGE
Note You cannot assign this permission by
directly modifying the UserAccountControl attribute. For information
about how to set the permission programmatically, see the "Property flag
descriptions" section.
0x0040 64
ENCRYPTED_TEXT_PWD_ALLOWED 0x0080 128
TEMP_DUPLICATE_ACCOUNT 0x0100 256
NORMAL_ACCOUNT 0x0200 512
INTERDOMAIN_TRUST_ACCOUNT 0x0800 2048
WORKSTATION_TRUST_ACCOUNT 0x1000 4096
SERVER_TRUST_ACCOUNT 0x2000 8192
DONT_EXPIRE_PASSWORD 0x10000 65536
MNS_LOGON_ACCOUNT 0x20000 131072
SMARTCARD_REQUIRED 0x40000 262144
TRUSTED_FOR_DELEGATION 0x80000 524288
NOT_DELEGATED 0x100000 1048576
USE_DES_KEY_ONLY 0x200000 2097152
DONT_REQ_PREAUTH 0x400000 4194304
PASSWORD_EXPIRED 0x800000 8388608
TRUSTED_TO_AUTH_FOR_DELEGATION 0x1000000 16777216
PARTIAL_SECRETS_ACCOUNT 0x04000000

67108864

 

If you want to find this information out in your domain, you can use the saved query feature in Active Directory users and computers tool. This can be done as follows:

  1.  If you create a new query
  2. Name it something,
  3. Then select define query button
  4. In the find combo box (drop down box) select custom search
  5. select advanced
  6. then paste in the following:     (UserAccountControl:1.2.840.113556.1.4.803:=2)   
  7. Change the value after the = sign in the above text to the decimal number from the above table that you are looking for
  8. click ok
  9. click ok
  10. you should now see all the obejects that you are looking for

This can also be done via Visual Basic Scripting :

 

Set oNSP = GetObject("LDAP://Win2000Server/rootdse")
Set oConfig = GetObject("LDAP://Win2000Server/" & oNSP.get("DefaultNamingContext"))

Set oConn = CreateObject("ADODB.Connection")
oConn.Provider = "ADSDSOObject"
oConn.Open ""

strQuery = "<" & oConfig.ADsPath & ">;(&(objectCategory=person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=2));name,objectClass;subtree"

Set oRS = oConn.Execute(strQuery)
While Not oRS.EOF
  MsgBox oRS.Fields("name")
  oRS.MoveNext
Wend

MsgBox "done"

Set oConn = Nothing
Set oRS = Nothing
Set oConfig = Nothing
Set oNSP = Nothing

 

This script has been written by Microsoft on the following KB http://support.microsoft.com/?id=269181
 

Comments
Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment