Using UserAccountControl Flags to Manipulate Properties

Active Directory UserAccountControl attribute contains flags to view or change the active directory user account values.

Active Directory UserAccountControl values represent which options have been enabled for a user account.

Ldp.exe tool or Adsiedit. msc snap-in tool shows the UserAccountControl values in Active Directory.

Ldp.exe tool shows the values in hexadecimal. Adsiedit.msc snap-in tool shows the values in decimal.

In this article, we will discuss a list of UserAccountControl flags available. You can assign or change the possible UserAccountControl flags value.

Some of the flag values on the user or computer object can’t change as they can be set or reset from the directory service.

UserAccountControl Flags or Attribute Values

All UserAccountrol flag values are shown in the table.

Property flag	Value in hexadecimal	Value in decimal
SCRIPT	0x0001	1
ACCOUNTDISABLE	0x0002	2
HOMEDIR_REQUIRED	0x0008	8
LOCKOUT	0x0010	16
PASSWD_NOTREQD	0x0020	32
PASSWD_CANT_CHANGE	0x0040	64
ENCRYPTED_TEXT_PWD_ALLOWED	0x0080	128
TEMP_DUPLICATE_ACCOUNT	0x0100	256
NORMAL_ACCOUNT	0x0200	512
INTERDOMAIN_TRUST_ACCOUNT	0x0800	2048
WORKSTATION_TRUST_ACCOUNT	0x1000	4096
SERVER_TRUST_ACCOUNT	0x2000	8192
DONT_EXPIRE_PASSWORD	0x10000	65536
MNS_LOGON_ACCOUNT	0x20000	131072
SMARTCARD_REQUIRED	0x40000	262144
TRUSTED_FOR_DELEGATION	0x80000	524288
NOT_DELEGATED	0x100000	1048576
USE_DES_KEY_ONLY	0x200000	2097152
DONT_REQ_PREAUTH	0x400000	4194304
PASSWORD_EXPIRED	0x800000	8388608
TRUSTED_TO_AUTH_FOR_DELEGATION	0x1000000	16777216
PARTIAL_SECRETS_ACCOUNT	0x04000000	67108864

UserAccountControl Flags Descriptions

Here is a Comprehensive list of UserAccountControl flags with their descriptions. Refer to the Official Microsoft Knowledgebase article for UserAccountControl.

• SCRIPT – The logon script will be run.
• ACCOUNTDISABLE – The user account is disabled.
• HOMEDIR_REQUIRED – The home folder is required.
• PASSWD_NOTREQD – No password is required.
• PASSWD_CANT_CHANGE – The user can’t change the password. It’s a permission on the user’s object. For information about how to programmatically set this permission, see Modifying User Cannot Change Password (LDAP Provider).
• ENCRYPTED_TEXT_PASSWORD_ALLOWED – The user can send an encrypted password.
• TEMP_DUPLICATE_ACCOUNT – It’s an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. It’s sometimes referred to as a local user account.
• NORMAL_ACCOUNT – It’s a default account type that represents a typical user.
• INTERDOMAIN_TRUST_ACCOUNT – It’s a permit to trust an account for a system domain that trusts other domains.
• WORKSTATION_TRUST_ACCOUNT – It’s a computer account for a computer that is running Microsoft Windows NT 4.0 Workstation, Microsoft Windows NT 4.0 Server, Microsoft Windows 2000 Professional, or Windows 2000 Server and is a member of this domain.
• SERVER_TRUST_ACCOUNT – It’s a computer account for a domain controller that is a member of this domain.
• DONT_EXPIRE_PASSWD – Represents the password, which should never expire on the account.
• MNS_LOGON_ACCOUNT – It’s an MNS logon account.
• SMARTCARD_REQUIRED – When this flag is set, it forces the user to log on by using a smart card.
• TRUSTED_FOR_DELEGATION – When this flag is set, the service account (the user or computer account) under which a service runs is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service. To enable a service for Kerberos delegation, you must set this flag on the userAccountControl property of the service account.
• NOT_DELEGATED – When this flag is set, the security context of the user isn’t delegated to a service even if the service account is set as trusted for Kerberos delegation.
• USE_DES_KEY_ONLY – (Windows 2000/Windows Server 2003) Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
• DONT_REQUIRE_PREAUTH – (Windows 2000/Windows Server 2003) This account doesn’t require Kerberos pre-authentication for logging on.
• PASSWORD_EXPIRED – (Windows 2000/Windows Server 2003) The user’s password has expired.
• TRUSTED_TO_AUTH_FOR_DELEGATION – (Windows 2000/Windows Server 2003) The account is enabled for delegation. It’s a security-sensitive setting. Accounts that have this option enabled should be tightly controlled. This setting lets a service that runs under the account assume a client’s identity and authenticate as that user to other remote servers on the network.
• PARTIAL_SECRETS_ACCOUNT – (Windows Server 2008/Windows Server 2008 R2) The account is a read-only domain controller (RODC). It’s a security-sensitive setting. Removing this setting from an RODC compromises security on that server.

In the above table, we have summed up all the property flags to get cumulative value for a disabled user account for password not required.

Modify the value of the UserAccountControl attribute to 546 in adsiedit.msc tool.

UserAccountControl 546 – Disabled User Account with password not required.

UserAccountControl 66082 – Disabled,Password not required and Password Doesn’t Expire

To set up a disabled user account with a password not required, we need the NORMAL_ACCOUNT flag, PASSWD_NOTREQD flag, ACCOUNTDISABLE flag, and DONT_EXPIRE_PASSWORD flag.

Property flag	Value in hexadecimal	Value in decimal
NORMAL_ACCOUNT	0x0200	512
ACCOUNTDISABLE	0x0002	2
DONT_EXPIRE_PASSWORD	0x10000	65536
PASSWD_NOTREQD	0x0020	32
Disabled, Don’t Expire Password	0x10222	66082

In the above table, we have summed up all the property flags to get cumulative value for a disabled user account for password not required.

Modify the value of the UserAccountControl attribute to 66082 in adsiedit.msc tool.

UserAccountControl 66082 – Disabled User Account, password not required and password doesn’t expire.

UserAccountControl 590336 – Enabled, User Cannot Change Password, Password Never Expires

Assign 590336 value to UserAccountControl attribute to enable a user account, user cannot change password and password never expires.

UserAccountControl 4128 – WorkStation Trust Account, Password not required

To set up a workstation trust account with a password not required, we need the WORKSTATION_TRUST_ACCOUNT flag and PASSWD_NOTREQD flag.

Property flag	Value in hexadecimal	Value in decimal
WORKSTATION_TRUST_ACCOUNT	0x1000	4096
PASSWD_NOTREQD	0x0020	32
Workstation trust account with a password not required	0x1020	4128

In the above table, we have summed up all the property flags to get cumulative value for a disabled user account for password not required.

Modify the value of the UserAccountControl attribute to 4128 in adsiedit.msc tool.

UserAccountControl 4128 – Workstation Trust Account with Password not required.

UserAccountControl 2080 – InterDomain Trust Account, Password not required

To set up a workstation trust account with a password not required, we need the WORKSTATION_TRUST_ACCOUNT flag and PASSWD_NOTREQD flag.

Property flag	Value in hexadecimal	Value in decimal
INTERDOMAIN_TRUST_ACCOUNT	0x0800	2048
PASSWD_NOTREQD	0x0020	32
InterDomain trust account with a password not required	0x0820	2080

In the above table, we have summed up all the property flags to get cumulative value for a disabled user account for password not required.

Modify the value of the UserAccountControl attribute to 2080 in adsiedit.msc tool.

UserAccountControl 2080 – InterDomain Trust Account with Password not required.

Conclusion – UserAccountControl Flags

I hope the above article on Active Directory UserAccountControl values is helpful to you.

UserAccountControl property flags are cumulative.

You can sum of UserAccountControl flags hexadecimal or decimal values to assign it to the UserAccountControl attribute value in ldp.exe and Adsiedit.exe snap-in tool respectively.

You can find more topics about PowerShell Active Directory commands and PowerShell basics on the ShellGeek home page.