Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Flags that control the behavior of the user account.
| Entry | Value |
|---|---|
| CN | User-Account-Control |
| Ldap-Display-Name | userAccountControl |
| Size | 4 bytes. |
| Update Privilege | This value is set by the system. |
| Update Frequency | Each time the account policy changes. |
| Attribute-Id | 1.2.840.113556.1.4.8 |
| System-Id-Guid | bf967a68-0de6-11d0-a285-00aa003049e2 |
| Syntax | Enumeration |
Implementations
- Windows 2000 Server
- Windows Server 2003
- Windows Server 2003 R2
- Windows Server 2008
- Windows Server 2008 R2
- Windows Server 2012
Windows 2000 Server
| Entry | Value |
|---|---|
| Link-Id | - |
| MAPI-Id | - |
| System-Only | False |
| Is-Single-Valued | True |
| Is Indexed | True |
| In Global Catalog | True |
| NT-Security-Descriptor | O:BAG:BAD:S: |
| Range-Lower | - |
| Range-Upper | - |
| Search-Flags | 0x00000019 |
| System-Flags | 0x00000012 |
| Classes used in | User |
Windows Server 2003
| Entry | Value |
|---|---|
| Link-Id | - |
| MAPI-Id | - |
| System-Only | False |
| Is-Single-Valued | True |
| Is Indexed | True |
| In Global Catalog | True |
| NT-Security-Descriptor | O:BAG:BAD:S: |
| Range-Lower | - |
| Range-Upper | - |
| Search-Flags | 0x00000019 |
| System-Flags | 0x00000012 |
| Classes used in | User |
Windows Server 2003 R2
| Entry | Value |
|---|---|
| Link-Id | - |
| MAPI-Id | - |
| System-Only | False |
| Is-Single-Valued | True |
| Is Indexed | True |
| In Global Catalog | True |
| NT-Security-Descriptor | O:BAG:BAD:S: |
| Range-Lower | - |
| Range-Upper | - |
| Search-Flags | 0x00000019 |
| System-Flags | 0x00000012 |
| Classes used in | User |
Windows Server 2008
| Entry | Value |
|---|---|
| Link-Id | - |
| MAPI-Id | - |
| System-Only | False |
| Is-Single-Valued | True |
| Is Indexed | True |
| In Global Catalog | True |
| NT-Security-Descriptor | O:BAG:BAD:S: |
| Range-Lower | - |
| Range-Upper | - |
| Search-Flags | 0x00000019 |
| System-Flags | 0x00000012 |
| Classes used in | User |
Windows Server 2008 R2
| Entry | Value |
|---|---|
| Link-Id | - |
| MAPI-Id | - |
| System-Only | False |
| Is-Single-Valued | True |
| Is Indexed | True |
| In Global Catalog | True |
| NT-Security-Descriptor | O:BAG:BAD:S: |
| Range-Lower | - |
| Range-Upper | - |
| Search-Flags | 0x00000019 |
| System-Flags | 0x00000012 |
| Classes used in | User |
Windows Server 2012
| Entry | Value |
|---|---|
| Link-Id | - |
| MAPI-Id | - |
| System-Only | False |
| Is-Single-Valued | True |
| Is Indexed | True |
| In Global Catalog | True |
| NT-Security-Descriptor | O:BAG:BAD:S: |
| Range-Lower | - |
| Range-Upper | - |
| Search-Flags | 0x00000019 |
| System-Flags | 0x00000012 |
| Classes used in | User |
Remarks
This attribute value can be zero or a combination of one or more of the following values.
| Hexadecimal value | Identifier (defined in iads.h) | Description |
|---|---|---|
| 0x00000001 | ADS_UF_SCRIPT | The logon script is executed. |
| 0x00000002 | ADS_UF_ACCOUNTDISABLE | The user account is disabled. |
| 0x00000008 | ADS_UF_HOMEDIR_REQUIRED | The home directory is required. |
| 0x00000010 | ADS_UF_LOCKOUT | The account is currently locked out. |
| 0x00000020 | ADS_UF_PASSWD_NOTREQD | No password is required. |
| 0x00000040 | ADS_UF_PASSWD_CANT_CHANGE | The user cannot change the password. Note: You cannot assign the permission settings of PASSWD_CANT_CHANGE by directly modifying the UserAccountControl attribute. For more information and a code example that shows how to prevent a user from changing the password, see User Cannot Change Password. : |
| 0x00000080 | ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED | The user can send an encrypted password. |
| 0x00000100 | ADS_UF_TEMP_DUPLICATE_ACCOUNT | This is an account for users whose primary account is in another ___domain. This account provides user access to this ___domain, but not to any ___domain that trusts this ___domain. Also known as a local user account. |
| 0x00000200 | ADS_UF_NORMAL_ACCOUNT | This is a default account type that represents a typical user. |
| 0x00000800 | ADS_UF_INTERDOMAIN_TRUST_ACCOUNT | This is a permit to trust account for a system ___domain that trusts other domains. |
| 0x00001000 | ADS_UF_WORKSTATION_TRUST_ACCOUNT | This is a computer account for a computer that is a member of this ___domain. |
| 0x00002000 | ADS_UF_SERVER_TRUST_ACCOUNT | This is a computer account for a system backup ___domain controller that is a member of this ___domain. |
| 0x00004000 | N/A | Not used. |
| 0x00008000 | N/A | Not used. |
| 0x00010000 | ADS_UF_DONT_EXPIRE_PASSWD | The password for this account will never expire. |
| 0x00020000 | ADS_UF_MNS_LOGON_ACCOUNT | This is an MNS logon account. |
| 0x00040000 | ADS_UF_SMARTCARD_REQUIRED | The user must log on using a smart card. |
| 0x00080000 | ADS_UF_TRUSTED_FOR_DELEGATION | The service account (user or computer account), under which a service runs, is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service. |
| 0x00100000 | ADS_UF_NOT_DELEGATED | The security context of the user will not be delegated to a service even if the service account is set as trusted for Kerberos delegation. |
| 0x00200000 | ADS_UF_USE_DES_KEY_ONLY | Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys. |
| 0x00400000 | ADS_UF_DONT_REQUIRE_PREAUTH | This account does not require Kerberos pre-authentication for logon. |
| 0x00800000 | ADS_UF_PASSWORD_EXPIRED | The user password has expired. This flag is created by the system using data from the Pwd-Last-Set attribute and the ___domain policy. |
| 0x01000000 | ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION | The account is enabled for delegation. This is a security-sensitive setting; accounts with this option enabled should be strictly controlled. This setting enables a service running under the account to assume a client identity and authenticate as that user to other remote servers on the network. |