The following table lists possible flags that you can assign. The flags are cumulative. To disable a user's account, set the UserAccountControl attribute to 0x0202 (0x002 + 0x0200). In decimal, this is 514 (2 + 512).
Property flag | Value in hexadecimal | Value in decimal |
SCRIPT | 0x0001 | 1 |
ACCOUNTDISABLE | 0x0002 | 2 |
HOMEDIR_REQUIRED | 0x0008 | 8 |
LOCKOUT | 0x0010 | 16 |
PASSWD_NOTREQD | 0x0020 | 32 |
PASSWD_CANT_CHANGE * You cannot modify | 0x0040 | 64 |
ENCRYPTED_TEXT_PWD_ALLOWED | 0x0080 | 128 |
TEMP_DUPLICATE_ACCOUNT | 0x0100 | 256 |
NORMAL_ACCOUNT | 0x0200 | 512 |
INTERDOMAIN_TRUST_ACCOUNT | 0x0800 | 2048 |
WORKSTATION_TRUST_ACCOUNT | 0x1000 | 4096 |
SERVER_TRUST_ACCOUNT | 0x2000 | 8192 |
DONT_EXPIRE_PASSWORD | 0x10000 | 65536 |
MNS_LOGON_ACCOUNT | 0x20000 | 131072 |
SMARTCARD_REQUIRED | 0x40000 | 262144 |
TRUSTED_FOR_DELEGATION | 0x80000 | 524288 |
NOT_DELEGATED | 0x100000 | 1048576 |
USE_DES_KEY_ONLY | 0x200000 | 2097152 |
DONT_REQ_PREAUTH | 0x400000 | 4194304 |
PASSWORD_EXPIRED | 0x800000 | 8388608 |
TRUSTED_TO_AUTH_FOR_DELEGATION | 0x1000000 | 16777216 |
Note In a Windows Server 2003-based domain, LOCK_OUT and PASSWORD_EXPIRED have been replaced with a new attribute called ms-DS-User-Account-Control-Computed.
Property flag descriptions
· SCRIPT - The logon script will be run.
· ACCOUNTDISABLE - The user account is disabled.
· HOMEDIR_REQUIRED - The home folder is required.
· PASSWD_NOTREQD - No password is required.
· PASSWD_CANT_CHANGE - The user cannot change the password.
· ENCRYPTED_TEXT_PASSWORD_ALLOWED - The user can send an encrypted password.
· TEMP_DUPLICATE_ACCOUNT - This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. This is sometimes referred to as a local user account.
· NORMAL_ACCOUNT - This is a default account type that represents a typical user.
· INTERDOMAIN_TRUST_ACCOUNT - This is a permit to trust an account for a system domain that trusts other domains.
· WORKSTATION_TRUST_ACCOUNT - This is a computer account for a computer that is running Windows NT 4.0, Windows 2000 and is a member of this domain.
· SERVER_TRUST_ACCOUNT - This is a computer account for a domain controller that is a member of this domain.
· DONT_EXPIRE_PASSWD - Represents the password, which should never expire on the account.
· MNS_LOGON_ACCOUNT - This is an MNS logon account.
· SMARTCARD_REQUIRED - When this flag is set, it forces the user to log on by using a smart card.
· TRUSTED_FOR_DELEGATION - When this flag is set, the service account (the user or computer account) under which a service runs is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service. To enable a service for Kerberos delegation, you must set this flag on the userAccountControl property of the service account.
· NOT_DELEGATED - When this flag is set, the security context of the user is not delegated to a service even if the service account is set as trusted for Kerberos delegation.
· USE_DES_KEY_ONLY - (W2K/W2K3) Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
· DONT_REQUIRE_PREAUTH - (W2K/W2K3) This account does not require Kerberos pre-authentication for logging on.
· PASSWORD_EXPIRED - (W2K/W2K3) The user's password has expired.
· TRUSTED_TO_AUTH_FOR_DELEGATION - (W2K/W2K3) The account is enabled for delegation. This is a security-sensitive setting. Accounts with this option enabled should be tightly controlled. This setting allows a service that runs under the account to assume a client's identity and authenticate as that user to other remote servers on the network.
UserAccountControl values
These are the default UserAccountControl values for the certain objects:
Typical user : 0x200 (512)
Domain controller : 0x82000 (532480)
Workstation/server: 0x1000 (4096)