userAccountControl in Active Directory
Asked Answered
E

4

9

I want to know the current value of the userAccountControl and determine which stage it is in

Ref: http://support.microsoft.com/kb/305144/en-us

According to the above documentation, it should return the values which are 2 to the power N.

But when I run my c# program it returns the value 544 for the normal account and 546 for the disabled account. I suspect that they are decimal numbers. But how I could link back to the values as shown in the reference?

Thanks.

Edelstein answered 19/4, 2012 at 15:51 Comment(0)
P
1
  • 544 = hex 0x220
  • 546 = hex 0x222

According to this list here, this means:

0x200 = normal account
0x020 = passwd_notreqd = password not required
0x002 = account disabled

So

  • a value of 544 (decimal) is 0x220 hex and means: normal account, password not required
  • a value of 546 (decimal) is 0x222 hex and means: normal account, disabled, password not required
Proton answered 19/4, 2012 at 16:4 Comment(0)
F
41

You can easily decode this by converting your result to an enum.

int userAccountControlValue = 544;
UserAccountControl userAccountControl = (UserAccountControl) userAccountControlValue;

// This gets a comma separated string of the flag names that apply.
string userAccountControlFlagNames = userAccountControl.ToString();

// This is how you test for an individual flag.
bool isNormalAccount = (userAccountControl & UserAccountControl.NORMAL_ACCOUNT) == UserAccountControl.NORMAL_ACCOUNT;
bool isAccountDisabled = (userAccountControl & UserAccountControl.ACCOUNTDISABLE) == UserAccountControl.ACCOUNTDISABLE;
bool isAccountLockedOut = (userAccountControl & UserAccountControl.LOCKOUT) == UserAccountControl.LOCKOUT;

Here's the enum definition that you want:

/// <summary>
/// Flags that control the behavior of the user account.
/// </summary>
[Flags()]
public enum UserAccountControl : int
{
    /// <summary>
    /// The logon script is executed. 
    ///</summary>
    SCRIPT = 0x00000001,

    /// <summary>
    /// The user account is disabled. 
    ///</summary>
    ACCOUNTDISABLE = 0x00000002,

    /// <summary>
    /// The home directory is required. 
    ///</summary>
    HOMEDIR_REQUIRED = 0x00000008,

    /// <summary>
    /// The account is currently locked out. 
    ///</summary>
    LOCKOUT = 0x00000010,

    /// <summary>
    /// No password is required. 
    ///</summary>
    PASSWD_NOTREQD = 0x00000020,

    /// <summary>
    /// The user cannot change the password. 
    ///</summary>
    /// <remarks>
    /// Note:  You cannot assign the permission settings of PASSWD_CANT_CHANGE by directly modifying the UserAccountControl attribute. 
    /// For more information and a code example that shows how to prevent a user from changing the password, see User Cannot Change Password.
    // </remarks>
    PASSWD_CANT_CHANGE = 0x00000040,

    /// <summary>
    /// The user can send an encrypted password. 
    ///</summary>
    ENCRYPTED_TEXT_PASSWORD_ALLOWED = 0x00000080,

    /// <summary>
    /// This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not 
    /// to any domain that trusts this domain. Also known as a local user account. 
    ///</summary>
    TEMP_DUPLICATE_ACCOUNT = 0x00000100,

    /// <summary>
    /// This is a default account type that represents a typical user. 
    ///</summary>
    NORMAL_ACCOUNT = 0x00000200,

    /// <summary>
    /// This is a permit to trust account for a system domain that trusts other domains. 
    ///</summary>
    INTERDOMAIN_TRUST_ACCOUNT = 0x00000800,

    /// <summary>
    /// This is a computer account for a computer that is a member of this domain. 
    ///</summary>
    WORKSTATION_TRUST_ACCOUNT = 0x00001000,

    /// <summary>
    /// This is a computer account for a system backup domain controller that is a member of this domain. 
    ///</summary>
    SERVER_TRUST_ACCOUNT = 0x00002000,

    /// <summary>
    /// Not used. 
    ///</summary>
    Unused1 = 0x00004000,

    /// <summary>
    /// Not used. 
    ///</summary>
    Unused2 = 0x00008000,

    /// <summary>
    /// The password for this account will never expire. 
    ///</summary>
    DONT_EXPIRE_PASSWD = 0x00010000,

    /// <summary>
    /// This is an MNS logon account. 
    ///</summary>
    MNS_LOGON_ACCOUNT = 0x00020000,

    /// <summary>
    /// The user must log on using a smart card. 
    ///</summary>
    SMARTCARD_REQUIRED = 0x00040000,

    /// <summary>
    /// The service account (user or computer account), under which a service runs, is trusted for Kerberos delegation. Any such service 
    /// can impersonate a client requesting the service. 
    ///</summary>
    TRUSTED_FOR_DELEGATION = 0x00080000,

    /// <summary>
    /// The security context of the user will not be delegated to a service even if the service account is set as trusted for Kerberos delegation. 
    ///</summary>
    NOT_DELEGATED = 0x00100000,

    /// <summary>
    /// Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys. 
    ///</summary>
    USE_DES_KEY_ONLY = 0x00200000,

    /// <summary>
    /// This account does not require Kerberos pre-authentication for logon. 
    ///</summary>
    DONT_REQUIRE_PREAUTH = 0x00400000,

    /// <summary>
    /// The user password has expired. This flag is created by the system using data from the Pwd-Last-Set attribute and the domain policy. 
    ///</summary>
    PASSWORD_EXPIRED = 0x00800000,

    /// <summary>
    /// The account is enabled for delegation. This is a security-sensitive setting; accounts with this option enabled should be strictly 
    /// controlled. This setting enables a service running under the account to assume a client identity and authenticate as that user to 
    /// other remote servers on the network.
    ///</summary>
    TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION = 0x01000000,

    /// <summary>
    /// 
    /// </summary>
    PARTIAL_SECRETS_ACCOUNT = 0x04000000,

    /// <summary>
    /// 
    /// </summary>
    USE_AES_KEYS = 0x08000000
}
Ferreira answered 19/4, 2012 at 16:19 Comment(5)
When testing the flags, an alternate, slightly less verbose, but functionally equivalent syntax is: bool isNormalAccount = (userAccountControl & UserAccountControl.NORMAL_ACCOUNT) > 0;Selfsupport
@TawabWakil If you're going to use to do this use != 0 rather than > 0. There are some scenarios under which testing for > 0 could be problematic. Other than that, you are correct. You can do this without repeating the flag on the right side of the comparison. I do it for consistency and readability.Ferreira
I can't think of a scenario in the OP's context where it would be problematic, but using != 0 doesn't hurt.Selfsupport
does the enum definition should be uint ? ( instead of int )Wickman
What happens if a new flag is added by Microsoft here due to some new flag being introduced? Then the enum parsing would fail, would not it? Thus, this seems kinda unsafe for production use or you would have to implement some other safety measures?Nagano
R
5

Its a bitmap. Each bit in a word is either ON or OFF (0 or 1). Its not really a number its more like a row of switches, each one on or off. Operating systems use them internally because they can manipulate them very quickly by logically comparing them to bitmasks.

The LDIF representation of the attribute can show the result as a decimal number (equivalent to the binary mumber that would be represented by the mask if it was a number - it isn't really!) And its pretty easy to decode, because basically its made by adding some powers of 2 together.

For example:

  512 = normal account
  514 = 512 + 2 = normal account, disabled
  546 = 512 + 32 + 2 = normal account, disabled, no password required
 2080 = 2048 + 32 = Interdomain trust, no password required
66048 = 65536 + 512 = normal account. password never expires
66050 = 65536 + 512 + 2 = normal account. password never expires, disabled
66080 = 65536 + 512 + 32 = normal account. password never expires, no password required
Rubefaction answered 18/6, 2013 at 15:50 Comment(0)
P
1
  • 544 = hex 0x220
  • 546 = hex 0x222

According to this list here, this means:

0x200 = normal account
0x020 = passwd_notreqd = password not required
0x002 = account disabled

So

  • a value of 544 (decimal) is 0x220 hex and means: normal account, password not required
  • a value of 546 (decimal) is 0x222 hex and means: normal account, disabled, password not required
Proton answered 19/4, 2012 at 16:4 Comment(0)
C
0

Python function to decode Active Directory userAccountControl.

  1. define a dictionary with all the defined combination. (ref. Microsoft)

    uac_decode_dict = {"0x0001": "SCRIPT",
                   "0x0002": "ACCOUNTDISABLE",
                   "0x0008": "HOMEDIR_REQUIRED",
                   "0x0010": "LOCKOUT",
                   "0x0020": "PASSWD_NOTREQD",
                   "0x0040": "PASSWD_CANT_CHANGE",
                   "0x0080": "ENCRYPTED_TEXT_PWD_ALLOWED",
                   "0x0100": "TEMP_DUPLICATE_ACCOUNT",
                   "0x0200": "NORMAL_ACCOUNT",
                   "0x0800": "INTERDOMAIN_TRUST_ACCOUNT",
                   "0x1000": "WORKSTATION_TRUST_ACCOUNT",
                   "0x2000": "SERVER_TRUST_ACCOUNT",
                   "0x10000": "DONT_EXPIRE_PASSWORD",
                   "0x20000": "MNS_LOGON_ACCOUNT",
                   "0x40000": "SMARTCARD_REQUIRED",
                   "0x80000": "TRUSTED_FOR_DELEGATION",
                   "0x100000": "NOT_DELEGATED",
                   "0x200000": "USE_DES_KEY_ONLY",
                   "0x400000": "DONT_REQ_PREAUTH",
                   "0x800000": "PASSWORD_EXPIRED",
                   "0x1000000": "TRUSTED_TO_AUTH_FOR_DELEGATION",
                   "0x04000000": "PARTIAL_SECRETS_ACCOUNT"}
    
    
  2. define a function to decode the UAC value

    def decode_uac(_uac):
    #
    # Decode the userAccountControl value.
    #
    
    global uac_decode_dict
    
    _translatedUAC = ""
    _hex_uac = hex(_uac)
    
    _hu_work = _hex_uac[2:]
    _x = 0
    for _hu in _hu_work[::-1]:
        _x += 1
        _hu_tmp = ""
        if _hu != "0":
            _hu_tmp = _hu.ljust(_x, "0")
            if len(_hu_tmp) <= 3:
                _hu_tmp = "".ljust(4 - _x, "0") + _hu_tmp
            _hu_key = r"0x" + _hu_tmp
            if _hu_key in uac_decode_dict.keys():
                if _translatedUAC == "":
                    _translatedUAC += uac_decode_dict[_hu_key]
                else:
                    _translatedUAC += " - " + uac_decode_dict[_hu_key]
            else:
                print("Invalid userAccountControl key: " + str(_hu_key) + ". Values dec: " + str(_uac) + " hex: " + _hex_uac)
                _translatedUAC += " - Error "
    
    return _translatedUAC
    
  3. call the function passing the userAccountControl as an Integer

    result = decode_uac(int(_userAccountControl))
    
Classical answered 3/10, 2021 at 11:6 Comment(0)

© 2022 - 2025 — McMap. All rights reserved.