Normal Day to Day Values:
512 - Enable Account
514 - Disable account
544 - Account Enabled - Require user to change password at first logon
4096 - Workstation/server
66048 - Enabled, password never expires
66050 - Disabled, password never expires
262656 - Smart Card Logon Required
532480 - Domain controller
All Other Values:
1 - script
2 - accountdisable
8 - homedir_required
16 - lockout
32 - passwd_notreqd
64 - passwd_cant_change
128 - encrypted_text_pwd_allowed
256 - temp_duplicate_account
512 - normal_account
2048 - interdomain_trust_account
4096 - workstation_trust_account
8192 - server_trust_account
65536 - dont_expire_password
131072 - mns_logon_account
262144 - smartcard_required
524288 - trusted_for_delegation
1048576 - not_delegated
2097152 - use_des_key_only
4194304 - dont_req_preauth
8388608 - password_expired
16777216 - trusted_to_auth_for_delegation
First, 544 is not the only value that means the user is not required to have a password. The userAccountControl attribute is an integer where each bit corresponds to a different setting. For example, 546 means the user does not need a password and the account is disabled. 66080 means the user has "Password does not expire" and "password not required" set. 66082 means the same, but in addition the account is disabled. However, 544 will probably be the most common value. Still, to find all users with "password not required" set, you can use the following:
dsquery * -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.1135188.8.131.523:=32))" -attr distinguishedName userAccountControl
I know the syntax for the filter clause is ugly, but it tests the value with the bit mask 32 (equal to hex 20) to see if the bit is set. The clause will be true if the bit is set, meaning a password is not required.
I find when I create users with a VBScript program, the account will have "password not required" set, unless I either specify a value for userAccountControl, or run code to turn this bit off. It doesn't happen if I use PowerShell to create the user. It's easy to happen without realizing it.
The following table lists possible flags that you can assign. You cannot set some of the values on a user or computer object because these values can be set or reset only by the directory service. Note that Ldp.exe shows the values in hexadecimal. Adsiedit.msc displays the values in decimal. The flags are cumulative. To disable a user's account, set the UserAccountControl attribute to 0x0202 (0x002 + 0x0200). In decimal, this is 514 (2 + 512).
Note You can directly edit Active Directory in both Ldp.exe and Adsiedit.msc. Only experienced administrators should use these tools to edit Active Directory. Both tools are available after you install the Support tools from your original Windows installation media.
Property flag Value in hexadecimal Value in decimal
Property Flag Value In Hexadecimal Value In Decimal Not Officially Documented
SCRIPT 0x0001 1
ACCOUNTDISABLE 0x0002 2
HOMEDIR_REQUIRED 0x0008 8
LOCKOUT 0x0010 16
PASSWD_NOTREQD 0x0020 32
PASSWD_CANT_CHANGE 0x0040 64
ENCRYPTED_TEXT_PWD_ALLOWED 0x0080 128
TEMP_DUPLICATE_ACCOUNT 0x0100 256
NORMAL_ACCOUNT 0x0200 512
Disabled Account 0x0202 514 x
Enabled, Password Not Required 0x0220 544 x
Disabled, Password Not Required 0x0222 546 x
INTERDOMAIN_TRUST_ACCOUNT 0x0800 2048
WORKSTATION_TRUST_ACCOUNT 0x1000 4096
SERVER_TRUST_ACCOUNT 0x2000 8192
DONT_EXPIRE_PASSWORD 0x10000 65536
Enabled, Password Doesn’t Expire 0x10200 66048 x
Disabled, Password Doesn’t Expire 0x10202 66050 x
Disabled, Password Doesn’t Expire & Not Required 0x10222 66082 x
MNS_LOGON_ACCOUNT 0x20000 131072
SMARTCARD_REQUIRED 0x40000 262144
Enabled, Smartcard Required 0x40200 262656 x
Disabled, Smartcard Required 0x40202 262658 x
Disabled, Smartcard Required, Password Not Required 0x40222 262690 x
Disabled, Smartcard Required, Password Doesn’t Expire 0x50202 328194 x
Disabled, Smartcard Required, Password Doesn’t Expire & Not Required 0x50222 328226 x
TRUSTED_FOR_DELEGATION 0x80000 524288
Domain controller 0x82000 532480
NOT_DELEGATED 0x100000 1048576
USE_DES_KEY_ONLY 0x200000 2097152
DONT_REQ_PREAUTH 0x400000 4194304
PASSWORD_EXPIRED 0x800000 8388608
TRUSTED_TO_AUTH_FOR_DELEGATION 0x1000000 16777216
PARTIAL_SECRETS_ACCOUNT 0x04000000 67108864
Note In a Windows Server 2003-based domain, LOCK_OUT and PASSWORD_EXPIRED have been replaced with a new attribute called ms-DS-User-Account-Control-Computed. For more information about this new attribute, visit the following Web site:
Property flag descriptions
- SCRIPT - The logon script will be run.
- ACCOUNTDISABLE - The user account is disabled.
- HOMEDIR_REQUIRED - The home folder is required.
- PASSWD_NOTREQD - No password is required.
- PASSWD_CANT_CHANGE - The user cannot change the password. This is a permission on the user's object. For information about how to programmatically set this permission, visit the following Web site:http://msdn2.microsoft.com/en-us/library/aa746398.aspx
- ENCRYPTED_TEXT_PASSWORD_ALLOWED - The user can send an encrypted password.
- TEMP_DUPLICATE_ACCOUNT - This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. This is sometimes referred to as a local user account.
- NORMAL_ACCOUNT - This is a default account type that represents a typical user.
- INTERDOMAIN_TRUST_ACCOUNT - This is a permit to trust an account for a system domain that trusts other domains.
- WORKSTATION_TRUST_ACCOUNT - This is a computer account for a computer that is running Microsoft Windows NT 4.0 Workstation, Microsoft Windows NT 4.0 Server, Microsoft Windows 2000 Professional, or Windows 2000 Server and is a member of this domain.
- SERVER_TRUST_ACCOUNT - This is a computer account for a domain controller that is a member of this domain.
- DONT_EXPIRE_PASSWD - Represents the password, which should never expire on the account.
- MNS_LOGON_ACCOUNT - This is an MNS logon account.
- SMARTCARD_REQUIRED - When this flag is set, it forces the user to log on by using a smart card.
- TRUSTED_FOR_DELEGATION - When this flag is set, the service account (the user or computer account) under which a service runs is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service. To enable a service for Kerberos delegation, you must set this flag on the userAccountControl property of the service account.
- NOT_DELEGATED - When this flag is set, the security context of the user is not delegated to a service even if the service account is set as trusted for Kerberos delegation.
- USE_DES_KEY_ONLY - (Windows 2000/Windows Server 2003) Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
- DONT_REQUIRE_PREAUTH - (Windows 2000/Windows Server 2003) This account does not require Kerberos pre-authentication for logging on.
- PASSWORD_EXPIRED - (Windows 2000/Windows Server 2003) The user's password has expired.
- TRUSTED_TO_AUTH_FOR_DELEGATION - (Windows 2000/Windows Server 2003) The account is enabled for delegation. This is a security-sensitive setting. Accounts that have this option enabled should be tightly controlled. This setting lets a service that runs under the account assume a client's identity and authenticate as that user to other remote servers on the network.
- PARTIAL_SECRETS_ACCOUNT - (Windows Server 2008/Windows Server 2008 R2) The account is a read-only domain controller (RODC). This is a security-sensitive setting. Removing this setting from an RODC compromises security on that server.
These are the default UserAccountControl values for the certain objects:
Typical user : 0x200 (512)
Domain controller : 0x82000 (532480)
Workstation/server: 0x1000 (4096)