Tag Archives: Active Directory

UserAccountControl Attribute/Flag Values

Here is a comprehensive list of UserAccountControl attribute/flag values I have come across when working on LDAP projects.

Property Flag Value In Hexadecimal Value In Decimal Not Officially Documented
SCRIPT 0x0001 1  
LOCKOUT 0x0010 16  
PASSWD_NOTREQD 0x0020 32  
NORMAL_ACCOUNT 0x0200 512  
Disabled Account 0x0202 514 x
Enabled, Password Not Required 0x0220 544 x
Disabled, Password Not Required 0x0222 546 x
DONT_EXPIRE_PASSWORD 0x10000 65536  
Enabled, Password Doesn't Expire 0x10200 66048 x
Disabled, Password Doesn't Expire 0x10202 66050 x
Disabled, Password Doesn't Expire & Not Required 0x10222 66082 x
MNS_LOGON_ACCOUNT 0x20000 131072  
SMARTCARD_REQUIRED 0x40000 262144  
Enabled, Smartcard Required 0x40200 262656 x
Disabled, Smartcard Required 0x40202 262658 x
Disabled, Smartcard Required, Password Not Required 0x40222 262690 x
Disabled, Smartcard Required, Password Doesn't Expire 0x50202 328194 x
Disabled, Smartcard Required, Password Doesn't Expire & Not Required 0x50222 328226 x
Domain controller 0x82000 532480  
NOT_DELEGATED 0x100000 1048576  
USE_DES_KEY_ONLY 0x200000 2097152  
DONT_REQ_PREAUTH 0x400000 4194304  
PASSWORD_EXPIRED 0x800000 8388608  
PARTIAL_SECRETS_ACCOUNT 0x04000000 67108864  

Property flag descriptions (Copied from KB Article)

  • SCRIPT - The logon script will be run.
  • ACCOUNTDISABLE - The user account is disabled.
  • HOMEDIR_REQUIRED - The home folder is required.
  • PASSWD_NOTREQD - No password is required.
  • PASSWD_CANT_CHANGE - The user cannot change the password. This is a permission on the user's object. For information about how to programmatically set this permission, visit the following Web site:
  • ENCRYPTED_TEXT_PASSWORD_ALLOWED - The user can send an encrypted password.
  • TEMP_DUPLICATE_ACCOUNT - This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. This is sometimes referred to as a local user account.
  • NORMAL_ACCOUNT - This is a default account type that represents a typical user.
  • INTERDOMAIN_TRUST_ACCOUNT - This is a permit to trust an account for a system domain that trusts other domains.
  • WORKSTATION_TRUST_ACCOUNT - This is a computer account for a computer that is running Microsoft Windows NT 4.0 Workstation, Microsoft Windows NT 4.0 Server, Microsoft Windows 2000 Professional, or Windows 2000 Server and is a member of this domain.
  • SERVER_TRUST_ACCOUNT - This is a computer account for a domain controller that is a member of this domain.
  • DONT_EXPIRE_PASSWD - Represents the password, which should never expire on the account.
  • MNS_LOGON_ACCOUNT - This is an MNS logon account.
  • SMARTCARD_REQUIRED - When this flag is set, it forces the user to log on by using a smart card.
  • TRUSTED_FOR_DELEGATION - When this flag is set, the service account (the user or computer account) under which a service runs is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service. To enable a service for Kerberos delegation, you must set this flag on the userAccountControl property of the service account.
  • NOT_DELEGATED - When this flag is set, the security context of the user is not delegated to a service even if the service account is set as trusted for Kerberos delegation.
  • USE_DES_KEY_ONLY - (Windows 2000/Windows Server 2003) Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
  • DONT_REQUIRE_PREAUTH - (Windows 2000/Windows Server 2003) This account does not require Kerberos pre-authentication for logging on.
  • PASSWORD_EXPIRED - (Windows 2000/Windows Server 2003) The user's password has expired.
  • TRUSTED_TO_AUTH_FOR_DELEGATION - (Windows 2000/Windows Server 2003) The account is enabled for delegation. This is a security-sensitive setting. Accounts that have this option enabled should be tightly controlled. This setting lets a service that runs under the account assume a client's identity and authenticate as that user to other remote servers on the network.
  • PARTIAL_SECRETS_ACCOUNT - (Windows Server 2008/Windows Server 2008 R2) The account is a read-only domain controller (RODC). This is a security-sensitive setting. Removing this setting from an RODC compromises security on that server.

UserAccountControl values

These are the default UserAccountControl values for the certain objects:

  • Typical user : 0x200 (512)
  • Domain controller : 0x82000 (532480)
  • Workstation/server: 0x1000 (4096)

Official Microsoft KB Article: http://support.microsoft.com/kb/305144

Office 365 - Change UPN on a user in the cloud

I ran accross some issues when moving to Office 365, particularily with my account that I created when creating our Office 365 site. In doing so, the account on Office 365 and my on-premise account had strange issues where even though the account was syncrhonized with our on-premise active directory environment, the Office 365 account was still the active address.

To fix this, follow the instructions as mentioned in this KB article: http://support.microsoft.com/kb/2523192

Styling the Windows welcome screen (Interactive Logon)

Many people say you can't format the login screen in Windows to display a legal notice, company message, whatever.  They are indeed true... to a degree.

Earlier this afternoon I came across this issue and was not going to settle for not having spaces between my paragraphs.  To solve this, you can use a ridiculous amount of spaces between paragraphs to simulate the break (I tried multiple special characters for spacing, but all of them either get trimmed or hide the rest of the text).  Additionally, you can use special alt characters for some formatting (quotes, bullets, etc.).  If you don't have a keyboard with a keypad to type the special characters, you can open up word, insert a symbol into the document and copy and paste it over using the Control+C and Control+V keyboard shortcuts.

The only downside to this method is that only 512 characters will show up on Windows 2000 machines, but if you are still on Windows 2000, then I would strongly encourage you to update to a later operating system.

Exchange 2010 Won't Sync Mobile Device Mailbox For One User

Today I stumbled across some weird stuff where one individual account wasn't able to synchronize on their iPhone/Droid. They would sign in and get an error saying the "Connection to the server was unavailable."

To fix this, simply follow the steps below! 🙂
Open Active Directory Users and Computers -> View > Advanced Features.
Find the user with the problems connecting, Right-Click -> Properties.
Click the Security tab -> Advanced and make sure that the check box for "Include inheritable permissions from this object's parent" is checked.

Pulling Active Directory account info via alias email address

I have been working on a PHP project that interfaces with active directory through LDAP.  I noticed that some accounts weren't being resolved via email address.  I thought, hmm this is strange...  After a few hours, I finally figured out that the issue was due to an alias email address.  By default, the "mail" attribute only has the main email address listed, so any alias addresses will not be searched upon lookup.


Use this query to select an item from AD via its alias email address:

(proxyAddresses=smtp:[email protected])