UserAccountControl flags
I was messing today with a small script to read the UserAccountControl flags of an Active Directory domain's user account base, and was tryng to find the correct values that are present there. I ultimately stumbled upon a KB article https://support.microsoft.com/kb/305144 which is brilliant.. The key info that I needed was below so I thought I would share it with you:
| Property flag | Value in hexadecimal | Value in decimal |
|---|---|---|
| SCRIPT | 0x0001 | 1 |
| ACCOUNTDISABLE | 0x0002 | 2 |
| HOMEDIR_REQUIRED | 0x0008 | 8 |
| LOCKOUT | 0x0010 | 16 |
| PASSWD_NOTREQD | 0x0020 | 32 |
| PASSWD_CANT_CHANGENote You cannot assign this permission by directly modifying the UserAccountControl attribute. For information about how to set the permission programmatically, see the "Property flag descriptions" section. | 0x0040 | 64 |
| ENCRYPTED_TEXT_PWD_ALLOWED | 0x0080 | 128 |
| TEMP_DUPLICATE_ACCOUNT | 0x0100 | 256 |
| NORMAL_ACCOUNT | 0x0200 | 512 |
| INTERDOMAIN_TRUST_ACCOUNT | 0x0800 | 2048 |
| WORKSTATION_TRUST_ACCOUNT | 0x1000 | 4096 |
| SERVER_TRUST_ACCOUNT | 0x2000 | 8192 |
| DONT_EXPIRE_PASSWORD | 0x10000 | 65536 |
| MNS_LOGON_ACCOUNT | 0x20000 | 131072 |
| SMARTCARD_REQUIRED | 0x40000 | 262144 |
| TRUSTED_FOR_DELEGATION | 0x80000 | 524288 |
| NOT_DELEGATED | 0x100000 | 1048576 |
| USE_DES_KEY_ONLY | 0x200000 | 2097152 |
| DONT_REQ_PREAUTH | 0x400000 | 4194304 |
| PASSWORD_EXPIRED | 0x800000 | 8388608 |
| TRUSTED_TO_AUTH_FOR_DELEGATION | 0x1000000 | 16777216 |
| PARTIAL_SECRETS_ACCOUNT | 0x04000000 | 67108864 |
If you want to find this information out in your domain, you can use the saved query feature in Active Directory users and computers tool. This can be done as follows:
- If you create a new query
- Name it something,
- Then select define query button
- In the find combo box (drop down box) select custom search
- select advanced
- then paste in the following: (UserAccountControl:1.2.840.113556.1.4.803:=2)
- Change the value after the = sign in the above text to the decimal number from the above table that you are looking for
- click ok
- click ok
- you should now see all the obejects that you are looking for
This can also be done via Visual Basic Scripting :
Set oNSP = GetObject("LDAP://Win2000Server/rootdse")
Set oConfig = GetObject("LDAP://Win2000Server/" & oNSP.get("DefaultNamingContext"))
Set oConn = CreateObject("ADODB.Connection")
oConn.Provider = "ADSDSOObject"
oConn.Open ""
strQuery = "<" & oConfig.ADsPath & ">;(&(objectCategory=person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=2));name,objectClass;subtree"
Set oRS = oConn.Execute(strQuery)
While Not oRS.EOF
MsgBox oRS.Fields("name")
oRS.MoveNext
Wend
MsgBox "done"
Set oConn = Nothing
Set oRS = Nothing
Set oConfig = Nothing
Set oNSP = Nothing
This script has been written by Microsoft on the following KB https://support.microsoft.com/?id=269181