PowerShell Ezine, Logon Scripts

Guy's Scripting Ezine No 23b - Complete list of UserAccountControl Values

Complete List of UserAccountValues

Real life usages e.g. UserAccountControl Value = 514

Explanation of why 514 = 512 [Normal] + 2 [AccountDisable]

SCRIPT 0x0001 1
ACCOUNTDISABLE 0x0002 2
HOMEDIR_REQUIRED 0x0008 8
LOCKOUT 0x0010 16
PASSWD_NOTREQD 0x0020 32
PASSWD_CANT_CHANGE 0x0040 64
ENCRYPTED_TEXT_PWD_ALLOWED 0x0080 128
TEMP_DUPLICATE_ACCOUNT 0x0100 256
NORMAL_ACCOUNT 0x0200 512
INTERDOMAIN_TRUST_ACCOUNT 0x0800 2048
WORKSTATION_TRUST_ACCOUNT 0x1000 4096
SERVER_TRUST_ACCOUNT 0x2000 8192
DONT_EXPIRE_PASSWORD 0x10000 65536
MNS_LOGON_ACCOUNT 0x20000 131072
SMARTCARD_REQUIRED 0x40000 262144
TRUSTED_FOR_DELEGATION 0x80000 524288
NOT_DELEGATED 0x100000 1048576
USE_DES_KEY_ONLY 0x200000 2097152
DONT_REQ_PREAUTH 0x400000 4194304
PASSWORD_EXPIRED 0x800000 8388608
TRUSTED_TO_AUTH_FOR_DELEGATION 0x1000000 16777216

 

Explanation:  514 = 512 [Normal] = 2 [AccountDisable]

Guy Recommends:  Solarwinds' Free Bulk Import ToolFree Download Bulk Import Tool

Import users from a spreadsheet.  Just provide a list of the users with their fields in the top row, and save as .csv file.  Then launch this FREE utility and match your fields with AD's attributes, click and import the users.  Optionally, you can provide the name of the OU where the new accounts will be born.

There are also two bonus tools in the free download, and all 3 have been approved by Microsoft:

  1. Bulk-import new users into Active Directory.
  2. Seek and zap unwanted user accounts.
  3. Find inactive computers.

Download your FREE bulk import tool.

Property Flag Descriptions

  • SCRIPT - The logon script will be run.
  • ACCOUNTDISABLE - The user account is disabled.
  • HOMEDIR_REQUIRED - The home folder is required.
  • PASSWD_NOTREQD - No password is required.
  • PASSWD_CANT_CHANGE - The user cannot change the password. You can read this flag but you cannot set it directly.
  • ENCRYPTED_TEXT_PASSWORD_ALLOWED - The user can send an encrypted password.

    ®
  • TEMP_DUPLICATE_ACCOUNT - This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. This is sometimes referred to as a local user account.
  • NORMAL_ACCOUNT - This is a default account type that represents a typical user.
  • INTERDOMAIN_TRUST_ACCOUNT - This is a permit to trust an account for a system domain that trusts other domains.
  • WORKSTATION_TRUST_ACCOUNT - This is a computer account for a computer that is running Microsoft Windows NT 4.0 Workstation, Microsoft Windows NT 4.0 Server, Microsoft Windows 2000 Professional, or Windows 2000 Server and is a member of this domain.
  • SERVER_TRUST_ACCOUNT - This is a computer account for a domain controller that is a member of this domain.
  • DONT_EXPIRE_PASSWD - Represents the password, which should never expire on the account.
  • MNS_LOGON_ACCOUNT - This is an MNS logon account.
  • SMARTCARD_REQUIRED - When this flag is set, it forces the user to log on by using a smart card.
  • TRUSTED_FOR_DELEGATION - When this flag is set, the service account (the user or computer account) under which a service runs is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service. To enable a service for Kerberos delegation, you must set this flag on the userAccountControl property of the service account.
  • NOT_DELEGATED - When this flag is set, the security context of the user is not delegated to a service even if the service account is set as trusted for Kerberos delegation.
  • USE_DES_KEY_ONLY - (Windows 2000/Windows Server 2003) Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
  • DONT_REQUIRE_PREAUTH - (Windows 2000/Windows Server 2003) This account does not require Kerberos pre-authentication for logging on.
  • PASSWORD_EXPIRED - (Windows 2000/Windows Server 2003) The user's password has expired.
  • TRUSTED_TO_AUTH_FOR_DELEGATION - (Windows 2000/Windows Server 2003) The account is enabled for delegation. This is a security-sensitive setting. Accounts with this option enabled should be tightly controlled. This setting allows a service that runs under the account to assume a client's identity and authenticate as that user to other remote servers on the network.

Guy Recommends:  A Free Trial of the Network Performance Monitor (NPM)Review of Orion NPM v10

Solarwinds' Orion performance monitor will help you discover what's happening on your network.  This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.

Perhaps the NPM's best feature is the way it suggests solutions to network problems.  Its second best feature is the ability to monitor the health of individual VMWare virtual machines.  If you are interested in troubleshooting, and creating network maps, then I recommend that you take advantage of Solarwinds' offer.

Download a free trial of the Network Performance Monitor.

UserAccountControl Values

These are the default UserAccountControl values for the certain objects:

  • Typical user : 0x200 (512)
  • Domain controller : 0x82000 (532480)
  • Workstation / server: 0x1000 (4096)

Script to put UserAccountControl into practice

I discovered the above values by experimenting with the users' property sheets in Active Directory Users and Computers. What I did was set the check boxes in the Account property tab, then exported with CSVDE -f account.csv.  In truth, I used the - d switch to filter the records so that I only returned users in the Cowbridge OU.

CSVDE -f account.csv -d "ou=cowbridge,dc=cp,dc=com"

Finally, I examined the UserAccountControl column in the spreadsheet, and compared the values with ticks in checkboxes under the Account tab.

Force users to change password at next logon

This is where we put it all together.  A combination of last week's script to set user accounts password, with this week's script to enable the accounts.  Because I want them to change password at next logon, I set the UserAccountControl to be 544.

 

' Set AccPwd.vbs
' VBScript to require users change passwords at next logon
' Author Guy Thomas http://computerperformance.co.uk/
' Version 2.2 - March 21st 2004
' -----------------------------------------------------------------'
Option Explicit
Dim objOU, objUser, objRootDSE
Dim strContainer, strLastUser, strDNSDomain, intCounter, intAccValue
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")
strContainer = "OU=Cowbridge ,"
intAccValue = 544
strContainer = strContainer & strDNSDomain
set objOU =GetObject("LDAP://" & strContainer )
intCounter = 0
      For each objUser in objOU
          If objUser.class="user" then
          objUser.SetPassword "P@$$er2004"
          objUser.SetInfo
          objUser.Put "userAccountControl", intAccValue
          objUser.SetInfo
          intCounter = intCounter +1
          strLastUser = objUser.Get ("name")
          End if
       next
WScript.Echo intCounter & " Users change pwd next logon.  Value " _
& intAccValue
WScript.Quit

Learning Points

Note 1: intAccValue now changed to 544.

Note 2: We insert last week's method, objUser.SetPassword.

Out Takes - Script with mistakes.

The idea is if you would like to test yourself by correcting a script with mistakes, then try the following script, and see if you can spot the mistakes.  Answers underneath.

 

' Set AccountControl.vbs
' VBScript to enable user accounts in a named OU
' Author Guy Thomas http://computerperformance.co.uk/
' Version 1.3 - March 21st 2004
' -----------------------------------------------------------------'
Option Explicit
Dim objOU, objUser, objRootDSE
Dim strContainer, strLastUser, strDNSDomain, intCounter,
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")
strContainer = "OU=Cowbridge ,"
intAccValue = 512
strContainer = strContainer & strDNSDomain
set objOU =GetObject("LDAP://" & strContainer )
intCounter = 0
      For each objUser in objOU
          If objUser.class="user" then
          objUser.Put "userAccountControl", intAccValue
          objUser.SetInfo
          intCounter = intCounter +1
          strLastUser = objUser.Get ("name")
          End if
       next
WScript.Echo intCounter & " Accounts Enabled. Value " _
& intAccValue
WScript.Quit

Out Takes - Answers

  • Dim strContainer, strLastUser, strDNSDomain, intCounter,
    Either there should be no comma at the end of the line, or you should add another variable: intAccValue
  • Dim strContainer, strLastUser, strDNSDomain, intCounter, intAccValue

See More Active Directory VBScripts featuring Active Directory

• Create Users  • Ezines  • PowerShell Add Computer  • LDAP Properties  • Free CSVDE Importer

Ezine 23 enable accounts  • UserAccountControl Values  • Ezine 27 Move Computers  • Ezine 42 LDAP

Ezine 44 CSVDE  • PB 55 CSVDE  • Ezine 56 OU  • Ezine 123 Ad Tree  • Ezine 124 Ad Tree  • IPAM

Custom Search

Guy Recommends: WMI Monitor and It's Free!Solarwinds WMI Monitor

Windows Management Instrumentation (WMI) is one of the hidden treasures of Microsoft operating systems.

Fortunately, Solarwinds have created the Free WMI Monitor so that you can actually see and understand these gems of operating system information.  Take the guess work out of which WMI counters to use for scripts.

Download your free copy of WMI Monitor

 

Home Copyright © 1999-2012 Computer Performance LTD All rights reserved

Please report a broken link, or an error.