Complete list of UserAccountValues
Real life usages e.g. UserAccountValue = 514
Explanation of why 514 = 512 [Normal] + 2 [AccountDisable]
|
SCRIPT |
0x0001 |
1 |
|
ACCOUNTDISABLE |
0x0002 |
2 |
|
HOMEDIR_REQUIRED |
0x0008 |
8 |
|
LOCKOUT |
0x0010 |
16 |
|
PASSWD_NOTREQD |
0x0020 |
32 |
|
PASSWD_CANT_CHANGE |
0x0040 |
64 |
|
ENCRYPTED_TEXT_PWD_ALLOWED |
0x0080 |
128 |
|
TEMP_DUPLICATE_ACCOUNT |
0x0100 |
256 |
|
NORMAL_ACCOUNT |
0x0200 |
512 |
|
INTERDOMAIN_TRUST_ACCOUNT |
0x0800 |
2048 |
|
WORKSTATION_TRUST_ACCOUNT |
0x1000 |
4096 |
|
SERVER_TRUST_ACCOUNT |
0x2000 |
8192 |
|
DONT_EXPIRE_PASSWORD |
0x10000 |
65536 |
|
MNS_LOGON_ACCOUNT |
0x20000 |
131072 |
|
SMARTCARD_REQUIRED |
0x40000 |
262144 |
|
TRUSTED_FOR_DELEGATION |
0x80000 |
524288 |
|
NOT_DELEGATED |
0x100000 |
1048576 |
|
USE_DES_KEY_ONLY |
0x200000 |
2097152 |
|
DONT_REQ_PREAUTH |
0x400000 |
4194304 |
|
PASSWORD_EXPIRED |
0x800000 |
8388608 |
|
TRUSTED_TO_AUTH_FOR_DELEGATION |
0x1000000 |
16777216 |
Explanation - 514 = 512 [Normal] = 2 [AccountDisable]
Property Flag Descriptions
- SCRIPT - The logon script will be run.
|
- ACCOUNTDISABLE - The user account is disabled.
|
- HOMEDIR_REQUIRED - The home folder is required.
|
- PASSWD_NOTREQD - No password is required.
|
- PASSWD_CANT_CHANGE - The user cannot change the password. You can read this flag but you cannot set it directly.
|
- ENCRYPTED_TEXT_PASSWORD_ALLOWED - The user can send an encrypted password.
|
- TEMP_DUPLICATE_ACCOUNT - This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. This
is sometimes referred to as a local user account.
|
- NORMAL_ACCOUNT - This is a default account type that represents a typical user.
|
- INTERDOMAIN_TRUST_ACCOUNT - This is a permit to trust an account for a system domain that trusts other domains.
|
- WORKSTATION_TRUST_ACCOUNT - This is a computer account for a computer that is running Microsoft Windows NT 4.0 Workstation, Microsoft Windows NT 4.0 Server, Microsoft Windows 2000 Professional, or
Windows 2000 Server and is a member of this domain.
|
- SERVER_TRUST_ACCOUNT - This is a computer account for a domain controller that is a member of this domain.
|
- DONT_EXPIRE_PASSWD - Represents the password, which should never expire on the account.
|
- MNS_LOGON_ACCOUNT - This is an MNS logon account.
|
- SMARTCARD_REQUIRED - When this flag is set, it forces the user to log on by using a smart card.
|
- TRUSTED_FOR_DELEGATION - When this flag is set, the service account (the user or computer account) under which a service runs is trusted for Kerberos delegation. Any such service can impersonate a
client requesting the service. To enable a service for Kerberos delegation, you must set this flag on the userAccountControl property of the service account.
|
- NOT_DELEGATED - When this flag is set, the security context of the user is not delegated to a service even if the service account is set as trusted for Kerberos delegation.
|
- USE_DES_KEY_ONLY - (Windows 2000/Windows Server 2003) Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
|
- DONT_REQUIRE_PREAUTH - (Windows 2000/Windows Server 2003) This account does not require Kerberos pre-authentication for logging on.
|
- PASSWORD_EXPIRED - (Windows 2000/Windows Server 2003) The user's password has expired.
|
- TRUSTED_TO_AUTH_FOR_DELEGATION - (Windows 2000/Windows Server 2003) The account is enabled for delegation. This is a security-sensitive setting. Accounts with this option enabled should be tightly
controlled. This setting allows a service that runs under the account to assume a client's identity and authenticate as that user to other remote servers on the network.
 Guy Thomas recommends
Computer Training Software. Their topics and material are ideal for getting you started with VBScript. The
videos are easy to follow and you can control the pace. Try their free demo material and then see if you want to buy the full package.
See more about VB Script Training CD.
|
UserAccountControl Values
These are the default UserAccountControl values for the certain objects:
- Typical user : 0x200 (512)
- Domain controller : 0x82000 (532480)
- Workstation / server: 0x1000 (4096)
Script to put it into practice.
I discovered the above values by experimenting with the users' property sheets in
Active Directory Users and Computers. What I did was set the check boxes in
the Account property tab, then exported with CSVDE -f account.csv.
In truth, I used the - d switch to filter the records so that I only returned
users in the Cowbridge OU.
CSVDE -f account.csv -d "ou=cowbridge,dc=cp,dc=com"
Finally, I examined the UserAccountControl column in the spreadsheet, and
compared the values with ticks in checkboxes under the Account tab.
This is where we put it all together. A combination of last week's
script to set user accounts password, with this week's script to enable the
accounts. Because I want them to change password
at next logon, I set the UserAccountControl to be
544.
' Set AccPwd.vbs
' VBScript to require users change passwords at next logon
' Author Guy Thomas http://computerperformance.co.uk/
' Version 2.2 - March 21st 2004
' -----------------------------------------------------------------'
Option Explicit
Dim objOU, objUser, objRootDSE
Dim strContainer, strLastUser, strDNSDomain, intCounter, intAccValue
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")
strContainer = "OU=Cowbridge ,"
intAccValue = 544
strContainer = strContainer & strDNSDomain
set objOU =GetObject("LDAP://" & strContainer )
intCounter = 0
For each objUser in objOU
If objUser.class="user"
then
objUser.SetPassword "P@££er2004"
objUser.SetInfo
objUser.Put
"userAccountControl", intAccValue
objUser.SetInfo
intCounter = intCounter
+1
strLastUser = objUser.Get
("name")
End if
next
WScript.Echo intCounter & " Users change pwd next logon. Value " _
& intAccValue
WScript.Quit
Learning Points
Note 1: intAccValue now changed to 544.
Note 2: We insert last week's method, objUser.SetPassword.
The idea is if you would like to test yourself by correcting a script
with mistakes, then try the following script, and see if you can spot the
mistakes. Answers underneath.
' Set AccountControl.vbs
' VBScript to enable user accounts in a named OU
' Author Guy Thomas http://computerperformance.co.uk/
' Version 1.3 - March 21st 2004
' -----------------------------------------------------------------'
Option Explicit
Dim objOU, objUser, objRootDSE
Dim strContainer, strLastUser, strDNSDomain, intCounter,
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")
strContainer = "OU=Cowbridge ,"
intAccValue = 512
strContainer = strContainer & strDNSDomain
set objOU =GetObject("LDAP://" & strContainer )
intCounter = 0
For each objUser in objOU
If objUser.class="user"
then
objUser.Put
"userAccountControl", intAccValue
objUser.SetInfo
intCounter = intCounter
+1
strLastUser = objUser.Get
("name")
End if
next
WScript.Echo intCounter & " Accounts Enabled. Value " _
& intAccValue
WScript.Quit
Out Takes - Answers
- Dim strContainer, strLastUser, strDNSDomain, intCounter,
Either there should be no comma at the end of the line, or you should add another variable: intAccValue
- Dim strContainer, strLastUser, strDNSDomain, intCounter, intAccValue
Guy Thomas recommends
Computer Training Software. Their topics and material are ideal for getting you started with VBScript. The
videos are easy to follow and you can control the pace. Try their free demo material and then see if you want to buy the full package.
See more about VB Script Training CD.
|
