Tuesday, April 19, 2011

User account control settings (kb305144)

 

The following table lists possible flags that you can assign. The flags are cumulative. To disable a user's account, set the UserAccountControl attribute to 0x0202 (0x002 + 0x0200). In decimal, this is 514 (2 + 512).

 

Property flag

Value in hexadecimal

Value in decimal

SCRIPT

0x0001

1

ACCOUNTDISABLE

0x0002

2

HOMEDIR_REQUIRED

0x0008

8

LOCKOUT

0x0010

16

PASSWD_NOTREQD

0x0020

32

PASSWD_CANT_CHANGE * You cannot modify

0x0040

64

ENCRYPTED_TEXT_PWD_ALLOWED

0x0080

128

TEMP_DUPLICATE_ACCOUNT

0x0100

256

NORMAL_ACCOUNT

0x0200

512

INTERDOMAIN_TRUST_ACCOUNT

0x0800

2048

WORKSTATION_TRUST_ACCOUNT

0x1000

4096

SERVER_TRUST_ACCOUNT

0x2000

8192

DONT_EXPIRE_PASSWORD

0x10000

65536

MNS_LOGON_ACCOUNT

0x20000

131072

SMARTCARD_REQUIRED

0x40000

262144

TRUSTED_FOR_DELEGATION

0x80000

524288

NOT_DELEGATED

0x100000

1048576

USE_DES_KEY_ONLY

0x200000

2097152

DONT_REQ_PREAUTH

0x400000

4194304

PASSWORD_EXPIRED

0x800000

8388608

TRUSTED_TO_AUTH_FOR_DELEGATION

0x1000000

16777216

Note In a Windows Server 2003-based domain, LOCK_OUT and PASSWORD_EXPIRED have been replaced with a new attribute called ms-DS-User-Account-Control-Computed.

Property flag descriptions

· SCRIPT - The logon script will be run.

· ACCOUNTDISABLE - The user account is disabled.

· HOMEDIR_REQUIRED - The home folder is required.

· PASSWD_NOTREQD - No password is required.

· PASSWD_CANT_CHANGE - The user cannot change the password.

· ENCRYPTED_TEXT_PASSWORD_ALLOWED - The user can send an encrypted password.

· TEMP_DUPLICATE_ACCOUNT - This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. This is sometimes referred to as a local user account.

· NORMAL_ACCOUNT - This is a default account type that represents a typical user.

· INTERDOMAIN_TRUST_ACCOUNT - This is a permit to trust an account for a system domain that trusts other domains.

· WORKSTATION_TRUST_ACCOUNT - This is a computer account for a computer that is running Windows NT 4.0, Windows 2000 and is a member of this domain.

· SERVER_TRUST_ACCOUNT - This is a computer account for a domain controller that is a member of this domain.

· DONT_EXPIRE_PASSWD - Represents the password, which should never expire on the account.

· MNS_LOGON_ACCOUNT - This is an MNS logon account.

· SMARTCARD_REQUIRED - When this flag is set, it forces the user to log on by using a smart card.

· TRUSTED_FOR_DELEGATION - When this flag is set, the service account (the user or computer account) under which a service runs is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service. To enable a service for Kerberos delegation, you must set this flag on the userAccountControl property of the service account.

· NOT_DELEGATED - When this flag is set, the security context of the user is not delegated to a service even if the service account is set as trusted for Kerberos delegation.

· USE_DES_KEY_ONLY - (W2K/W2K3) Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.

· DONT_REQUIRE_PREAUTH - (W2K/W2K3) This account does not require Kerberos pre-authentication for logging on.

· PASSWORD_EXPIRED - (W2K/W2K3) The user's password has expired.

· TRUSTED_TO_AUTH_FOR_DELEGATION - (W2K/W2K3) The account is enabled for delegation. This is a security-sensitive setting. Accounts with this option enabled should be tightly controlled. This setting allows a service that runs under the account to assume a client's identity and authenticate as that user to other remote servers on the network.


UserAccountControl values

These are the default UserAccountControl values for the certain objects:
Typical user : 0x200 (512)
Domain controller : 0x82000 (532480)
Workstation/server: 0x1000 (4096)

No comments:

Blog Archive